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Abstract 


A  systematic  approach  for  evaluating  and  optimizing  the  performance  of 
asynchronous  VLSI  circuits  is  presented.  Index-priority  simulation  is  intro¬ 
duced  to  efficiently  find  minimal  cycles  in  the  state  graph  of  a  given  cir¬ 
cuit.  These  minimal  cycles  are  used  to  determine  the  causality  relationships 
between  all  signal  transitions  in  the  circuit.  Once  these  relationships  are 
known,  the  circuit  is  then  modeled  as  an  extended  event-rule  system,  which 
can  be  used  to  describe  many  circuits,  including  ones  that  are  inherently 
disjunctive.  An  accurate  indication  of  the  performance  of  the  circuit  is  ob¬ 
tained  by  analytically  computing  the  period  of  the  corresponding  extended 
event-rule  system. 
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Chapter  1 
Introduction 


1.1  Asynchronous  VLSI  Circuits 

Asynchronous  VLSI  circuits  are  those  that  do  not  use  global  clocks.  Instead, 
synchronization  among  components  is  achieved  through  the  generation  and 
detection  of  request  and  acknowledgement  signals.  Asynchronous  circuits 
have  many  advantages  over  traditional  synchronous  systems  [41,  30].  Be¬ 
sides  the  elimination  of  the  clock  skew  and  synchronization  failure  problems 
[34],  asynchronous  circuits  also  are  more  tolerant  to  variations  in  physical 
parameters,  can  be  more  easily  synthesized  using  systematic  and  modular 
approaches  [31],  have  a  higher  potential  for  low-energy  computation  [42], 
and  yield  average-case  instead  of  worst-case  performance  [24] . 

The  concept  of  asynchronous  circuits  has  been  around  since  the  fifties 
[18].  However,  it  has  not  gained  popularity  until  recently  because  of  the 
difficulties  involved  in  removing  hazards  from  early  designs  [44],  Since  then, 
several  methodologies  that  generate  functional  asynchronous  circuits  under 
various  timing  assumptions  have  been  developed  (for  example,  [10,  35,  12, 
45,  39]).  In  particular,  the  Caltech  approach,  invented  by  A.  J.  Martin 
[30],  has  produced  many  successful  CMOS  circuits  such  as  stacks,  arbiters 
[27],  routers,  a  3x  +  1  special-purpose  processor  [19],  a  multiply-accumulator 
[40],  a  memory  management  unit  [38],  and,  in  1988,  the  first  asynchronous 
microprocessor  [32],  The  favorable  statistics  of  the  microprocessor  [33]  and 
its  portability  to  gallium  arsenide  technology  [43]  have  contributed  to  the 
renewed  interest  in  asynchronous  designs. 
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The  Martin  synthesis  method  (which  will  be  outlined  in  Chapter  2) 
systematically  transforms  a  high-level  specification,  through  a  series  of 
semantics-preserving  steps,  into  a  network  of  circuit  elements.  By  construc¬ 
tion,  the  circuits  produced  by  the  method  are  hazard-free  and  operate  cor¬ 
rectly  regardless  of  the  delays  in  the  elements  and  wires,  provided  delays 
along  different  branches  of  certain  forks,  known  as  isochronic  forks,  are  neg¬ 
ligible.  Such  a  circuit  is  said  to  be  quasi-delay-insensitive  (QDI)  [28].  As 
we  shall  see,  if  each  branch  of  a  non-isochronic  fork  is  explicitly  modeled  by 
a  “wire  operator”  with  arbitrary  delay,  then  a  QDI  circuit  is  equivalent  to 
a  speed-independent  circuit  [37],  where  the  delays  on  elements  are  arbitrary 
and  those  on  wires  are  negligible.  Due  to  the  weak  assumption  on  delays, 
QDI  circuits  are  very  robust;  of  the  designs  mentioned  above,  those  that 
were  fabricated  functioned  correctly  on  “first  silicon”  and  could  be  operated 
over  wide  ranges  of  supply  voltages  and  temperatures.  QDI  circuits  are  also 
relatively  easy  to  test  as  demonstrated  in  [16]. 


1.2  Performance  of  Asynchronous  Circuits 

Though  the  delays  of  the  elements  in  a  QDI  circuit  do  not  affect  its  function¬ 
ality,  they  do  have  a  direct  bearing  on  the  speed  at  which  it  operates.  This 
thesis  presents  a  method  to  evaluate  and  optimize  the  performance  of  a  QDI 
circuit  by  finding  appropriate  sizes  for  its  transistors.  As  explained  below, 
the  approach  taken  is  fundamentally  different  from  the  one  for  synchronous 
circuits. 

Given  a  synchronous  circuit,  the  speed  at  which  it  operates  depends 
mainly  on  its  clock  rate.  Registers  are  used  to  save  data  from  one  clock 
period  to  the  next  and,  as  long  as  the  sub-circuits  between  the  registers 
can  complete  their  computations  faster  than  the  clock  allowance,  the  system 
operates  successfully.  Consequently,  optimization  of  synchronous  systems  is 
achieved  by  selecting  an  appropriate  placement  of  the  registers  [20]  and  lim¬ 
iting  the  delays  needed  to  transfer  and  manipulate  data  from  one  register  to 
the  next  [23] .  The  analysis  is  further  simplified  by  the  fact  that  most  of  these 
stages  are  purely  combinational  and  that  there  is  no  feedback  [22], 

In  a  QDI  circuit,  however,  the  occurrences  of  signal  transitions  are  not 
regulated  by  a  clock.  Instead,  each  signal  transition  occurs  as  soon  as  an 
appropriate  set  of  other  signal  transitions  —  either  produced  internally  or 
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supplied  by  the  environment  —  have  occurred  and  a  sufficient  amount  of 
delay  has  elapsed.  Because  of  the  absence  of  clocked  registers  to  act  as 
separators,  each  particular  signal  transition  can  have  an  effect,  directly  or 
indirectly,  on  many  other  signal  transitions  in  the  system.  Therefore,  eval¬ 
uating  the  performance  of  a  small  group  of  elements  in  isolation,  as  is  done 
for  synchronous  circuits,  is  no  longer  sufficient.  Instead,  in  general,  it  is  nec¬ 
essary  to  determine  the  causality  and  delay  relationships  between  all  signal 
transitions  in  an  asynchronous  circuit  and  its  environment. 

The  first  successful  attempt  to  address  this  problem  is  by  Burns  in  [6]. 
There,  he  develops  the  concept  of  Event-Rule  Systems  (ER-systems)  where 
“events”  represents  occurrences  of  signal  transitions  and  “rules”  are  used 
to  describe  their  causality  and  delay  relationships.  For  an  ER-system  that 
is  repetitive,  he  is  able  to  compute  its  period  and  shows  that  it  is  a  good 
indicator  of  the  performance  of  the  underlying  circuit. 

Though  ER-systems  are  very  useful  for  representing  and  evaluating  the 
performance  of  conjunctive  asynchronous  systems,  they  cannot  describe  in¬ 
herently  disjunctive  systems  where  an  event  has  more  than  one  set  of  causes. 
Also,  though  Burns  recognizes  the  need  to  simulate  a  data- dependent  circuit 
to  extract  the  causality  relationships  between  its  signal  transitions,  no  ex¬ 
plicit  algorithm  has  been  given  on  how  to  systematically  transform  such  a 
circuit  into  a  repetitive  ER-system. 

The  purpose  of  this  thesis  is  to  address  these  two  short-comings.  First, 
Extended  ER-systems  (XER-system)  are  introduced  and  shown  to  retain 
many  of  the  properties  of  ER-systems.  In  particular,  we  will  demonstrate 
how  to  compute  the  period  of  an  XER-system  and  how  this  value  reflects  its 
performance.  Next,  we  will  present  an  algorithm  for  converting  any  QDI  cir¬ 
cuit  (without  arbiters )  into  a  repetitive  XER-system.  The  algorithm  makes 
use  of  index-priority  simulation  which  guarantees  that  the  XER-system  it 
produces  has  the  minimal  number  of  transitions. 


1.3  Outline  of  Thesis 

This  thesis  is  organized  as  follows: 

•  Chapter  1  serves  as  a  general  introduction. 

•  Chapter  2  gives  a  brief  outline  of  Martin’s  synthesis  method. 
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•  Chapter  3  explains  the  limitations  of  ER-system  in  detail. 

•  Chapter  4  describes  XER-systems  and  their  properties. 

•  Chapter  5  presents  the  theoretical  framework  for  analyzing  the  states 
of  a  QDI  circuit. 

•  Chapter  6  describes  “index- priority  simulation”  for  Ending  the  minimal 
periodic  behavior  of  a  QDI  circuit. 

•  Chapter  7  explains  how  to  use  this  behavior  to  convert  a  QDI  circuit 
into  an  XER-system. 

•  Chapter  8  serves  as  a  summary  and  points  out  some  directions  for 
future  work. 


1.4  Notation  and  Conventions 

The  order  of  precedence  for  logical  operators,  from  highest  to  lowest,  is  not 
(-i),  and  (A),  or  (V),  implies  (=>•),  and  if-and-only-if  (<t4>).  Set  difference  is 
denoted  by  “\”  and  has  the  same  precedence  as  union  (u)  and  intersection 
(fl).  Set  inclusion  is  denoted  by  “C”  and  proper  set  inclusion  by  “C.”  Also, 
“l±i”  is  sometimes  used  to  denote  the  union  of  two  disjoint  sets. 

The  existential  quantification  “there  exists  x  and  y,  with  x  <  y,  such  that 
x  +  y  =  5”  is  expressed  as 

3x,  y  :  x  <  y  :  x  +  y  =  5. 

The  same  convention  holds  for  universal  quantification  (V).  Also,  sets  are 
sometimes  denoted  with  similar  notation;  for  example,  the  set  of  perfect 
squares  is 

{i  :  *  €  Z  :  i2}. 

Finally,  i,  j,  k,  l,  m  and  n  are  always  integer  variables  unless  stated  other¬ 
wise. 
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Chapter  2 

Compilation  Method 


In  this  chapter,  we  give  a  brief  outline  of  Martin’s  synthesis  method  and 
show  its  application  to  two  specific  examples:  a  one-place  buffer  and  a  zero- 
checker.  Interested  readers  should  refer  to  [30]  for  more  details.  Also,  it 
should  be  pointed  out  that  the  transformation  steps  described  below  can 
be  bypassed  by  using  a  syntax-directed  compiler  [5],  though  the  results  are 
usually  too  large  for  practical  use. 

2.1  CSP 

At  the  top-most  level,  the  specification  of  the  circuit  to  be  synthesized  is 
written  as  a  concurrent  program,  using  a  language  that  is  based  on  Hoare’s 
model  of  Communicating  Sequential  Processes  (CSP)  [17].  A  CSP  program 
consists  of  one  or  more  processes  which  operate  in  parallel  and  communicate 
with  each  other  through  channels.  A  channel  connects  two  processes  and  the 
two  ends  of  a  channel  are  referred  to  as  ports1. 

Example  2.1:  Figure  2.1  shows  a  set  of  three  processes.  Each  process 
contains  an  L  port  and  an  R  port.  Process  p[0]  communicates  with  p[l] 
through  the  channel  (p[0].i?, p[l].L)  and  so  forth.  □ 

The  operations  performed  by  a  process  are  described  in  the  following 
notation.  An  assignment  of  an  expression  e  to  a  variable  x  is  ux  :=  e.” 

1In  some  of  the  larger  designs,  for  efficiency  reasons,  the  language  has  been  extended 
to  allow  shared  variables  and  buses. 
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Figure  2.1:  Communicating  sequential  processes 

For  brevity,  if  x  is  a  Boolean  variable,  then  “rc'T’*  and  “rcj,”  are  equivalent  to 
x  :=  true  and  x  :=  false,  respectively. 

A  selection  statement  is  of  the  form  “  [G0  — >  5o  D  ...  D  ^  5„] .”  Each 
Gj  7  Sj  is  a  guarded  command  [11]  where  Gj  is  a  Boolean  expression  (the 
guard  of  the  command)  and  Sj  is  a  program  part.  The  operational  semantics 
of  the  selection  statement  is:  “Wait  until  one  of  the  Gj' s  is  true,  then  non- 
deterministically  choose  a  guarded  command  with  a  true  guard  and  execute 
the  corresponding  program  part.”  The  notation  “[(?]”  is  a  shorthand  for 
“[G  — >  skip]”  and  amounts  to  “wait  until  G  is  true.” 

A  loop  statement  is  of  the  form  “*  [G0  — >■  <So  D  ...  D  Gn  — >  SnV'  and  has 
the  operational  semantics  “Choose  a  guarded  command  with  a  true  guard, 
execute  the  corresponding  program  part,  and  repeat;  if  all  Gj' s  are  false, 
then  exit  loop.”  The  notation  “*  [5]  ”  is  an  abbreviation  for  “*  [true  — >  5]  ” 
and  means  “execute  S  forever.” 

For  a  channel  (p.R,q.L),  “ R\e ”  in  process  p  denotes  the  communication 
action  of  sending  the  value  of  the  expression  e  to  the  channel,  and  uL?x”  in 
process  q  denotes  the  communication  action  of  receiving  the  value  from  the 
channel  and  storing  it  in  the  variable  x.  Thus,  the  combined  effect  of  the  two 
statements  is  to  assign  to  the  variable  x  in  q  the  value  of  e  in  p.  Note  that 
channels  in  CSP  have  no  slack  [25]:  R\e  in  p  cannot  complete  and  the  pro¬ 
cess  suspends  unless  q  executes  the  corresponding  Llx,  and  vice  versa.  Thus, 
dataless  channels  can  be  used  to  enforce  synchronization  between  processes. 
A  communication  action  on  such  a  channel  is  expressed  by  naming  the  cor¬ 
responding  port.  Also,  the  probe  of  a  port  L,  denoted  L,  is  a  Boolean  value 
that  is  true  only  if  the  communication  action  L  can  be  completed  without 
suspension  [29]. 

Finally,  sequential  composition  is  represented  by  and  concurrent  com¬ 
position  —  which  is  weakly  fair,  i.e.,  every  non-terminating  component  is  ex¬ 
ecuted  infinitely  often  —  is  represented  by  “||.”  In  addition,  if  A  and  B  are 
two  communication  actions,  then  A  •  B  is  their  coincident  execution  which 
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means  that  A  and  B  are  to  complete  together  [32], 

Example  2.2:  A  one-place  buffer  that  receives  a  data  value  (say,  an  n-bit 
integer)  from  a  port  named  L  and  sends  it  to  a  port  named  R  can  be  described 
as  *  [L?x]  R\x] .  □ 

2.1.1  Process  Decomposition 

The  first  step  of  the  synthesis  method  is  process  decomposition  whereby  at¬ 
tempts  are  made  to  convert  each  process  into  smaller  sub-processes  and  to 
extract,  if  possible,  common  program  parts.  Compiling  smaller  processes 
facilitates  the  rest  of  the  synthesis  procedure  and  sharing  common  program 
parts  reduces  the  area  of  the  final  circuit.  Also,  parts  of  the  program  that 
cannot  be  compiled  into  stable  production  rules  (see  Section  2.3)  are  “fac¬ 
tored  out.”  These  program  parts  deal  with  arbitration  and  synchronization 
of  negated  probes  and  are  implemented  directly  as  standard  networks  of 
transistors.  The  one-place  buffer  is  already  simple  enough  so  that  no  process 
decomposition  is  necessary;  see  [26]  for  a  larger  example  where  this  procedure 
is  applied. 

2.1.2  Separation  of  Control  and  Datapath 

As  we  shall  see,  the  datapath  of  a  process  can  be  implemented  in  a  fairly 
standard  way.  In  contrast,  its  control  needs  to  be  systematically  transformed 
from  one  level  of  description  to  the  next.  Hence,  for  the  next  stage  of  the 
synthesis  method,  the  datapath  of  a  process  is  temporary  removed  and  only 
the  control  part  is  compiled. 

Example  2.3:  After  the  removal  of  the  datapath,  the  control  for  the  one- 
place  buffer  is  *IL\  R] .  □ 

2.2  Handshaking  Expansion 

The  next  step  in  the  synthesis  method  represents  each  communication  action 
with  operations  on  Boolean  variables.  In  order  to  maintain  correctness,  the 
two  ends  of  a  channel  need  to  obey  some  given  protocol.  The  two  most 
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Figure  2.2:  Handshaking  variables 


common  protocols  are  two-phase  handshaking  and  four-phase  handshaking . 
Due  to  space  limitation,  only  the  latter  will  be  discussed. 

For  the  four-phase  handshaking  protocol,  one  communication  action  on 
a  channel  is  chosen  to  be  active  and  the  corresponding  one  passive.  If  L  is 
an  active  communication  action,  then  it  is  transformed  into2 

loll  loll 

and  if  R  is  a  passive  communication  action,  then  it  is  transformed  into 
I ra t|  [-Tj]§  r0[. 

The  channel  (p.L,  q.R)  is  represented  by  connecting  the  output  variable  of 
p.L  with  the  input  variable  of  q.R,  and  vice  versa.  See  Figure  2.2  for  the 
transformation  of  Figure  2.1.  In  general,  only  passive  communications  can 
be  probed  and  R  is  compiled  into  r^. 

Example  2.4:  It  turns  out  that  it  is  easier  to  implement  active  input  ports 
(data  arrive  only  when  requested)  and,  therefore,  the  communication  action 
L  in  the  one-place  buffer  is  chosen  to  be  active.  Since  we  want  to  compose  one 
instance  of  this  buffer  with  another,  the  corresponding  action  R  is  required 
to  be  passive.  The  handshaking  expansion  for  the  active-passive  buffer  is 

ap  =  *[  loll  M ;  loll  l>i]f  ra t;  [-r,];  r0j  ]. 


□ 

2.2.1  Reshuffling 

The  last  half  of  a  four-phase  handshaking  protocol  (ZGJ.;  C  — > ]  or  [-> rf\ ;  r0[) 
is  not  needed  for  synchronization  and  optimizations  can  often  be  made  by 

2By  convention,  input  variables  are  subscripted  with  i  and  output  variables  with  o. 
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postponing  it  or  part  of  it.  Such  a  procedure  is  known  as  reshuffling.  How¬ 
ever,  care  must  be  taken  so  that  no  deadlock  ensues  and  data  integrity  is 
maintained  (see  Chapter  6  in  [6]). 

Example  2.5:  In  the  one-place  buffer,  there  is  no  need  to  wait  for  /,  to 
become  false  before  starting  the  R  communication.  Hence,  we  can  postpone 
the  wait  [—■/*]  so  that  it  occurs  as  late  as  possible,  i.e.,  just  before  la j.  The 
resulting  protocol  for  L  becomes 

[“dj;  lot,  I dj;  l0[ 

and  is  called  the  lazy-active  protocol  [6].  The  lazy-active-passive  buffer  is 

lap  =  *[  [-dj];  la T;  [/J ;  la[ ;  [rj ;  ra T;  [^r,] ;  ra[  ], 

and,  in  general,  it  outperforms  the  active-passive  buffer  due  to  the  postponed 
wait.  □ 


2.2.2  State  Variable  Insertion 

If  there  are  two  states  in  a  reshuffled  handshaking  expansion  that  are  in¬ 
distinguishable,  then  state  variables  need  to  be  introduced  to  differentiate 
them. 

Example  2.6:  In  lap,  each  variable  in  the  state  after  la{  may  have  the  same 
value  as  in  the  state  after  ra[.  Hence,  a  state  variable  is  needed.  We  have 
chosen,  among  many  others,  the  following  state  variable  assignment: 

lap'  =  *[  [  la t;  [/*] ;  sf,  l0[\  [rj :  ra T;  [^rj;  sf  ra[  ]. 

□ 

2.3  Production  Rules 

Once  a  handshaking  expansion  with  all  states  distinguishable  has  been  ob¬ 
tained,  the  explicit  sequential  operators  (the  “semi-colons”)  are  removed  by 
transforming  it  into  a  set  of  production  rules.  A  production  rule  (PR)  is 
of  the  form  “(?  — >  Sf  where  G ,  a  Boolean  expression,  is  its  guard  and  S, 
an  assignment  of  true  or  false  to  a  Boolean  variable,  is  its  assignment  or 
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output  transition.  A  PR  is  enabled  if  its  guard  is  true.  A  PR  fires  when  its 
assignment  is  executed  —  the  bring  is  effective  if  it  causes  a  state  change; 
else,  it  is  vacuous.  The  operational  semantics  of  a  PR  is  that  it  may  fire  if 
it  is  enabled.  The  operational  semantics  of  a  set  of  PR’s  is  the  weakly  fair 
concurrent  composition  of  the  PR’s  in  the  set. 

A  PR  is  stable  if  once  it  is  enabled,  it  remains  enabled  until  it  fires. 
For  any  variable  x,  a  PR  for  x'l  and  a  PR  for  x[  are  complementary  and 
two  complementary  PR’s  are  non-interfering  if  they  are  never  both  enabled. 
Many  of  the  later  results  rely  on  the  following  observation  made  by  Martin 
[30]:" 

Under  the  stability  of  each  PR  and  non-interference  among  com¬ 
plementary  PR’s,  the  concurrent  execution  of  the  PR’s  of  a  set  is 
equivalent  to  the  following  sequential  execution: 

*  [  select  a  PR  with  a  true  guard;  fire  the  PR  ] 
where  the  selection  is  weakly  fair. 

Ignoring  arbiters  and  synchronizers,  all  PR’s  generated  by  the  synthesis 
method  satisfy  the  stability  and  non-interference  conditions  above.  So,  from 
now  on,  we  will  assume  that  there  is  only  one  PR  for  each  transition  since 
G0  — >  x'l  and  Gi  — >  x |  can  be  replaced  by  G0  V  Gi  — >  x j\ 

Example  2.7:  The  lap  buffer  is  compiled  into  the  following  PR  set: 

-di  A  A  To  ->  lo\  n  As  A  -dG  — >■  ra] 

k  M0  — >  Tj  A  ra  — >■  s  i 

s  — >■  hi  s  — ►  r0[ 

The  PR  set  is  minimal  in  the  sense  that  the  set  of  the  literals  in  each  of  the 
guards  cannot  be  replaced  by  a  smaller  subset.  □ 

Before  continuing  with  the  compilation  method,  several  properties  of  PR 
sets  need  to  be  listed  for  future  reference.  A  self-invalidating  PR  is  one 
whose  bring  falsibes  its  own  guard.  An  example  of  a  self-invalidating  PR  is 
-<x  — >■  x].  Since  they  never  occur  in  actual  circuits,  self-invalidating  PR’s 
will  be  disallowed  in  this  paper. 

Next,  occasionally,  it  will  be  convenient  to  regard  the  guard  of  a  PR  as 
written  in  disjunctive-normal- form  (DNF) 

Bo  V  Bl  V  . . .  V  Bm 
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with  each  Bi  being  a  conjunction  of  the  form 

lip  A  li, i  A  ...  A 

and  each  Lj  is  a  literal  (a  variable  or  its  negation).  B.,  is  said  to  contain  a 
literal  l  if  there  exists  j  such  that  l  =  U,r  A  disjunct  of  a  PR  refers  to  a 
conjunction  in  the  DNF  of  the  guard  of  the  PR.  The  disjuncts  of  a  PR  are 
mutually  exclusive  (mutex)  if  at  most  one  of  them  is  true  in  any  state.  A 
disjunct  Bi  of  a  PR  is  a  stable  disjunct  if,  whenever  Bi  is  true,  it  remains 
true  until  the  PR  fires.  A  PR  set  has  only  stable  disjuncts  if  all  disjuncts  in 
all  of  its  PR’s  are  stable  disjuncts. 

2.3.1  Reset  Signal 

In  order  to  put  the  circuit  in  the  proper  state  upon  power-up,  a  reset  signal 
is  added  to  the  PR  set. 

Example  2.8:  Adding  the  reset  signal  to  the  PR  set  above  yields 


—'Reset  A  —> A  —> s  A  —> ra  — >  Li 

k  A  l0  —>  sT 

Reset  V  s  —»  Li 

Ti  A  5  A  -do  — >■  ra  t 

Reset  V  -'Ti  A  ra  — >  s  j 

~IS  -»  Toi- 


To  avoid  complicating  the  PR  sets,  in  the  sequel,  the  reset  signal  will  no 
longer  be  explicitly  mentioned.  □ 

2.3.2  Symmetrization  and  Operator  Reduction 

The  next  step  of  the  synthesis  method  forms  the  operator  for  each  non-input 
variable  y.  by  grouping  together  the  two  complementary  PR’s  with  output 
transitions  on  y.  Occasionally,  it  is  possible  to  change  some  of  the  guards 
to  yield  standard  operators  such  as  OR-gates  and  Muller  C-elements  [36]  — 
this  process  is  known  as  symmetrization. 

Example  2.9:  Consider  the  Q-element 

*[  Rl;  r„T;  4;  r0[\  [-^13  l0 T;  [->!<];  sj.;  Li  ]. 
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If  it  is  implemented  as  the  following  minimal  PR  set 

—is  A  k 
n 
s 

then  the  operator  for  ra  is  state-holding.  Note,  however,  that  the  PR  set  still 
implements  the  Q-element  if  the  guard  for  r0j  is  weakened  to  s  V  -> l, .  In  this 
new  PR  set,  the  operator  for  rD  is  a  two-input  AND-gate,  which,  in  CMOS, 
can  be  more  cheaply  implemented  than  the  original  state-holding  element. 
A  similar  improvement  results  from  weakening  the  guard  for  l0[  to  ->s  V  rt. 
□ 

The  actual  implementation  of  the  operators  depends  on  the  target  tech¬ 
nology;  the  rest  of  this  chapter  assumes  that  CMOS  has  been  chosen. 

2.3.3  Isochronic  Forks  and  Bubble  Shuffling 

Given  a  PR  set  V,  let  x  be  a  variable  appearing  in  either  guard  of  the  operator 
for  y.  Consider  the  new  PR  set  V  obtained  by  adding  the  wire  operator 

x  — >  x,J\  ->x  — >  x'l 

to  V  and  replacing  each  occurrence  of  x  in  the  guards  of  the  operator  for  y 
with  x' .  If,  when  x'  is  ignored,  V  and  ‘P  behave  differently,  then  the  variable 
x  and  operator  for  y  are  said  to  form  an  isochronic  branch.  Note  that  this 
situation  implies  that  the  delay  modeled  by  the  wire  operator  affects  the 
functionality  of  V.  Hence,  V  operates  as  specified  only  if  the  delays  on  its 
isochronic  branches  are  negligible.  If  variable  x  forms  an  isochronic  branch 
with  any  operator,  then  x  is  an  isochronic  fork. 

Example  2.10:  Let  (x,  y)  denote  the  branch  from  variable  x  to  the  operator 
for  y.  Then,  in  Example  2.7,  ( s ,  la)  and  ( s ,  ra)  are  non-isochronic  branches 
and  all  other  branches  are  isochronic.  So,  lQ.  r, .  and  ra  are  isochronic 
forks.  □ 

For  CMOS  implementation,  a  given  PR  set  needs  to  be  converted  to  one 
that  is  CMOS-mappable  (CM)  where  the  literals  in  the  guards  of  the  PR’s 
with  down-going  transitions  are  positive  and  the  literals  in  the  guards  of  the 
PR’s  with  up-going  transitions  are  negative.  To  effect  this  transformation, 


r0\ 

S  A  -iTj  - 

Cl 

4 

“dj 

4 

ra  i 

-i5 

hi, 
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inverters  may  be  needed  to  produce  x_.  the  negative  sense  of  a  variable 
x.  However,  to  avoid  adding  assumptions  on  the  speed  of  these  inverters, 
it  is  preferable  that  no  inverter  be  added  on  any  isochronic  branch.  This 
requirement,  unfortunately,  cannot  always  be  satisfied.  When  this  situation 
arises,  one  can  either  alter  the  original  PR  set  or  analyze  the  circuit  to  make 
as  weak  a  timing  assumption  as  possible. 

Example  2.11:  Consider  the  PR  set  of  Example  2.7.  A  CM  operator  for  l0 
is 


A  -is  A  ->r0  — >■  lo\  s  — >■  l0{. 

For  s,  there  are  two  choices: 

“dj-  A  ->l0-  — >■  A  rQ  — >  5 1 


or 


k  M0  ->  s4  “'A  A  -r0_  ->  s_t- 

The  first  choice  requires  an  inverter  on  the  branch  (h,  l0)  or  (4_,  s)\  the  second 
requires  an  inverter  on  (ra,  la)  or  (rc_,  5).  Similar  observations  hold  if  we  had 
chosen  a  CM  operator  for  instead  of  la.  Thus,  in  order  to  transform  the 
PR  set  into  a  CM  one,  an  inverter  needs  to  be  placed  on  one  of  the  isochronic 
branches. 

Note,  however,  that  the  original  handshaking  expansion,  lap,  can  also  be 
implemented  by 

->k  A  -15  A  -irc  — >  lo\  ri  A  s  A  -dG  — >  r0] 

k  Mo  — >  -Tj  A  rG  — ^  sj. 

k  A  5  — >  “T,  A  — >  rQ{ 

where  two  of  the  guards  (for  la[  and  rG  | )  have  been  strengthened.  The 
branches  (/,,  l0)  and  (r4,  rG)  are  now  non-isochronic.  This  new  PR  set  can  be 
transformed  into  the  following  CM  one  without  introducing  any  inverters  on 
isochronic  branches: 
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-'k  — >  kA 

l>i-  A  A  T0-  *  fc4 

— >  4>T 

l>i  A  /G  *  5  4 

h  *  h  4 

—< li- A —< 5_  — >  /(,_! 

fc-  *  44 

n  ->  a  4 


“I Tj_  A  “1 5_  A  —>l0 

-ra 

~^r0- 

Tj  A  -T0_ 

T'i _  A  5_ 

~^-r0 

rQ- 


-ra  T 
r04 

roT 

a-T 

n-T 

-r4 

rn-T 

r4. 


Tlie  signal  _rc  is  an  internal  version  of  rG;  _r„  is  needed  to  generate  r0_  which, 
in  turn,  generates  ra,  the  output  to  the  environment.  □ 

As  can  be  seen  by  the  previous  example,  a  CM  PR  set  can  be  significantly 
larger  than  its  counterpart  before  bubble  shuffling.  Hence,  for  conciseness, 
PR  sets  that  are  not  CM  will  be  used  for  illustrative  purposes,  even  though  it 
should  be  pointed  out  that  transistor  sizing,  as  described  in  the  next  section, 
is  relevant  only  for  CM  PR  sets. 


2.4  CMOS  Circuit 

Each  CM  operator  for  y  is  realized  as  a  CMOS  element  so  that  there  is  a 
connecting  path  from  VDD  to  the  output  when  the  guard  for  y]  is  true  and 
one  from  GND  to  the  output  if  the  guard  for  y{  is  true.  A  staticizer  is  added 
on  the  output  if  it  is  needed  to  maintain  the  charge  when  both  guards  are 
false.  Due  to  electrical  considerations,  there  is  an  upper  limit  on  how  many 
transistors  can  be  in  series  on  each  connecting  path;  this  limit  translates  into 
a  bound  on  the  number  of  literals  in  each  conjunction  of  the  guards. 

Example  2.12:  The  transistor  network  for  the  previous  example,  without 
staticizers,  is  shown  in  Figure  2.3,  where  every  four-way  intersection  repre¬ 
sents  an  overlap  and  not  a  connection.  □ 


2.4.1  Transistor  Sizing 

For  a  CMOS  element,  the  time  it  takes  for  its  output  node  to  change  value 
once  a  connecting  path  to  VDD  or  GND  is  established  depends,  to  a  large 
degree,  on  R,  the  effective  resistance  of  the  transistors  in  the  path,  and  C, 
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the  capacitive  load  on  the  output  node.  Both  R  and  C  are  functions  of  the 
transistor  sizes  in  the  network,  plus  parasitic  wiring  capacitances.  One  of 
the  goals  of  this  paper  is  to  develop  a  method  to  determine  the  appropriate 
transistor  sizes  so  that  the  network  can  operate  at  optimal  speed.  Because 
of  the  close  correspondence  between  a  CM  PR  set  and  the  CMOS  circuit 
that  implements  it,  the  analysis  will  be  performed  on  the  former  using  the 
implicit  assumption  that  the  delays  between  occurrences  of  transitions  can 
be  expressed  as  functions  of  the  appropriate  transistor  sizes.  Some  schemes 
for  computing  these  delays  are  given  in  [13,  21,  7,  4,  9,  8]. 


2.5  Datapaths 

In  contrast  to  the  control  part,  the  datapath  of  a  process  can  usually  be  imple¬ 
mented  efficiently  by  combining  members  from  a  standard  set  of  components 
such  as  registers,  adders,  completion  trees,  etc.  This  section  describes  the 
nature  of  some  of  these  components  and  how  they  can  be  put  together  to 
form  a  datapath. 
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2.5.1  Registers 


The  input  part  of  a  binary  register,  ireg  =  *  \_Plx~\ ,  can  be  implemented  by 
the  handshaking  expansion 

*[[  pTi  — *  x]-,  p0 1;  [-1  pTJ;  p0[ 

D  pFi  — >  xl;  p0t;  L^pF^-,  p0[ 

]]. 

Note  that  a  Boolean  value  is  communicated  in  a  delay-insensitive  manner  by 
using  dual-rail  encoding  where  one  data  signal  (pTt)  is  raised  if  a  1  is  sent, 
and  a  different  data  signal  (pFi)  is  raised  if  a  0  is  sent.  The  raised  signal  is 
then  lowered  during  the  second  half  of  the  handshaking  protocol.  A  dual-rail 
port  is  said  to  have  a  valid  value  if  exactly  one  of  the  two  data  signals  is 
high;  it  has  a  a  neutral  value  if  both  signals  are  low  [24],  For  other  encoding 
schemes,  see  [2,  46]. 

As  written  above,  ireg  cannot  be  implemented  without  adding  an  inverter 
on  an  isochronic  branch.  However,  this  problem  can  be  removed  if  x  is  stored 
in  true-complement  form  as  shown  below: 

*[[  P^  — >  zOJ.;  xl]]  pa t;  [^pTJ;  pa{ 

D  pFi  — +  xl[]  zOT;  PoV,  l^pFil ;  pa[ 

]]. 


The  corresponding  PR  set  is 


pTi 

-izO  A  -i pFi 
pFi 

~<xl  A  -i pTi 


xOJ. 

pTi  A  xl  V  pFi  A  xO  - 

-+  Po-i 

xl] 

^ Po - 

->  Po T 

xl[ 

~^p  Ti  A  -i pFi 

-+  Po- T 

xOj 

Po- 

-»■  Pol 

Analogously,  the  output  part  of  a  binary  register,  oreg  =  *  \_Q\x~\ ,  can  be 
written  as 

*[[  ft  A  xl  - *  qT0]\  [— ift] ;  qT0[ 

D  ?j  A  iO  — >  qFa t;  [-ift];  qFa[ 

]] 


which  is  compiled  into 
q%  A  xl  —>  qTa_l 
-1 qTa -  —r  qTo t 
“■ft  ->  qTaJ\ 
qT0-  ->  qT0[ 


q%  A  xD  — >  qFa_{ 
^qFa-  -H-  qFa] 
—,qi  ->  qFa-  T 

qFa_  —r  qFa[. 
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Figure  2.4:  Transferring  data 

2.5.2  Completion  Trees 

In  ireg,  a  completion  signal  pQ  is  generated  after  the  bit  has  been  stored. 
If  n  registers  of  this  form  are  used  to  store  an  n-bit  integer,  then  the  com¬ 
pletion  signals  from  these  n  registers  need  to  be  combined  to  form  a  single 
acknowledgement  signal.  This  task  is  accomplished  by  the  C-element 

P  [0]  .po  A  p  [1]  ,p0  A  . . .  A  p  in  —  1]  ,p0  p0 1 

~*p  [0]  .p0  A  -ip  [1]  .p0  A  . . .  A  -ip  in  -  1]  .p0  -»  Pol 

where  p  [j]  ,p0  is  the  completion  signal  from  bit  register  p  [j]  and  pQ  is  the 
combined  completion  signal.  If  n  is  large,  this  n-input  C-element  can  be 
implemented  by  a  tree  of  C-elements  with  fewer  inputs;  hence,  the  term 
completion  tree  is  used. 

2.5.3  Register  Transfers 

Figure  2.4  illustrates  the  most  common  scheme  for  transferring  data.  On  the 
right  side  of  the  figure,  where  data  are  sent  using  a  passive  output  commu¬ 
nication  on  port  R,  the  output  signal  of  the  control  part,  r0,  is  used  to  cause 
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Figure  2.5:  Implementation  for  b  :=  /(a) 


the  registers  to  send  out  their  values  in  dual-rail  form.  And,  as  shown  on  the 
left  side  of  the  figure,  for  an  active  input  communication  on  port  L.  data  are 
latched  into  registers  and  a  combined  completion  signal  is  then  generated  to 
serve  as  the  acknowledgement  for  the  control  part. 

Example  2.13:  The  schematics  for  the  one-place  buffer  *  \_Llx]  R\x]  is 
shown  in  Figure  2.4  where  the  control  part  is  the  network  of  Figure  2.3 
and,  for  each  j.  0  <  j  <  n,  p  [j]  .xO  is  connected  to  qlj]  .2:0  and  p  [j]  .xl  is 
connected  to  q  [j] . x  1.  □ 

2.5.4  Function  Blocks 

A  function  block  for  a  given  function  /  repeatedly  accepts  an  argument  and 
produces  its  image  under  /.  The  assignment  b  :=  /(a),  where  a  and  b 
are  lists  of  registers,  is  usually  implemented  by  sending  the  values  of  a  to  a 
function  block  for  /  and  storing  the  result  in  b,  as  Figure  2.5  illustrates3.  A 

3At  times,  performance  may  be  improved  if  the  function  block  is  combined  with  some 
of  the  registers;  to  simplify  the  presentation,  no  such  optimization  is  applied. 
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possible  protocol  [24]  for  a  function  block  is 

*[  Lv(J. 0]|  Ft;  [«(*)];  Ft  ] 

where  v(X )  means  that  input  port  X  has  a  valid  value,  n(X )  means  that  X 
has  a  neutral  value,  Ft  means  that  output  port  F  is  set  to  a  valid  value, 
and  Ft  means  that  F  is  reset  to  a  neutral  value.  Using  dual-rail  encoding, 
a  non-binary  port  has  a  valid  (or,  alternatively,  neutral)  value  ■when  all  the 
ports  for  communicating  the  constituent  bits  have  valid  (neutral)  values.  For 
the  implementation  of  an  adder  function  block,  the  reader  is  referred  to  [24], 

2.5.5  Zero-Checkers 

The  zero-checker  is  an  interesting  function  block  in  that  it  illustrates  the  use 
of  guards  with  disjuncts  that  are  not  mutex.  Its  input  is  an  n-bit  integer 
X  and  its  output  is  a  Boolean  variable  F  that  is  false  if  and  only  if  X 
is  identically  zero.  An  obvious  approach  is  to  implement  the  n-bit  zero- 
checker  as  a  tree  of  zero-checkers  of  smaller  size.  For  example,  one  possible 
implementation  of  a  two-bit  zero-checker  is  zeroA  below: 


aTi  A  bTi  V  aT,  A  bFi  V  aFi  A  bTi  — *  cTa] 
aFi  A  bFi  —r  cF0 1 

- 'aTi  A  “i aFi  A  —>bTi  A  ~^bFi  — >  cT0[ 

-^aFiA^bFi  — *•  cFa[ 


where  aTi  and  aFi  are  the  dual-rail  signals  of  one  of  the  input  bits,  bTi  and 
bFi  are  those  for  the  other  bit,  and  cTa  and  cF0  are  those  of  the  output. 
Note  that  all  disjuncts  in  the  guards  are  mutex.  Also,  the  three  disjuncts  in 
the  guard  for  cTa j  are  necessary  in  order  to  test  for  the  validity  of  the  input. 
Similarly,  if  cT0  is  ever  raised,  one  needs  to  make  sure  that  the  appropriate 
input  signals  have  been  reset  before  lowering  cTa. 

An  alternative  implementation  of  a  two-bit  zero-checker  is  to  perform  the 
input  validity  and  neutrality  checks  explicitly  as  done  in  zeroB  below: 

aTi  V  aFi  — >  a"f  -ia7j  A  -> aFi  — >  aj, 

bTi  V  bFi  — ■>  b t  -^bTiA^bFi  — >■  5J. 

a  A  b  — i ►  g]  -^aA^b  — : ►  g[ 

g  A  (aTi  V  bTi)  ->  cTa]  ~^g  ->  cT0[ 

g  A  ( aFi  A  bFi )  ->  cFa ]  ~^g  — >  cF0[. 
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Note  that  the  disjuncts  in  the  guard  for  c Tf) j  are  no  longer  mutex  since 
both  aTi  and  bTi  may  be  true.  Even  though  zero  A  has  14  literals  in  the 
guards  versus  20  for  zeroB,  all  guards  in  the  latter  have  no  more  than  three 
literals  in  any  conjunction,  most  of  them  have  fewer.  Furthermore,  a  direct 
extension  of  zeroA  to  four  bits  requires  76  literals,  8  of  which  belonging  to  one 
conjunction,  whereas  similar  extension  to  zeroB  yields  36  literals,  at  most 
5  in  a  conjunction.  If  the  four-bit  zero-checker  is  implemented  by  a  binary 
tree  of  three  two-bit  zero-checkers  of  type  zeroA,  then  42  literals,  at  most  4 
in  a  conjunction,  are  needed.  Consequently,  since  each  literal  corresponds  to 
a  transistor,  on  the  bases  of  area  and  power  consumption,  the  best  way  to 
implement  a  four-bit  zero-checker  is  with  the  extension  to  zeroB.  Thus,  it  is 
sometimes  profitable  to  have  guards  with  disjuncts  that  are  not  mutex. 

2.5.6  Quick-Decision  Zero-Checkers 

Even  if  an  input  bit  has  a  valid  non-zero  value,  a  zero-checker  of  the  previous 
sub-section  still  waits  for  all  other  input  input  bits  to  have  valid  values  before 
issuing  true  as  output.  There  are  practical  situations  where  this  wait  is  a 
serious  drawback.  For  instance,  for  a  memory  access,  one  may  need  to  add  a 
base  address  base  to  an  offset  offset  and  compare  the  sum  to  tag,  the  tag  of 
a  cache  line.  Using  bit-wise  exclusive-or  (V)  as  the  comparison  operator,  a 
cache  miss  occurs  if  ( base  +  offset)¥tag  is  non-zero.  If  the  adder  of  [24]  is  used, 
then  there  is  a  variance  in  the  times  at  which  the  bits  of  the  above  expression 
become  valid,  due  to  the  rippling  effect  of  the  carry-chains.  Since  a  fetch  from 
main  memory  upon  a  cache  miss  should  be  initiated  as  soon  as  possible,  it  is 
highly  advantageous  to  use  a  quick- decision  zero-checker  that  raises  a  signal 
whenever  one  of  the  input  bits  is  non-zero,  without  waiting  for  the  other  bits 
to  become  valid.  In  order  to  satisfy  the  delay-insensitive  protocol,  one  still 
needs  to  wait  for  the  validity  of  all  input  bits;  however,  this  wait  can  now 
proceed  concurrently  with  operations  that  would  otherwise  be  postponed. 

The  PR  set  for  a  two-bit  quick-decision  zero-checker  is  zeroQ  below: 
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aTi  V  aFi  — > 

at 

bTi  V  bFi  — > 

b] 

a  A  b  — > 

g T 

aQi  V  bQi 

-> 

cQ0  T 

g  A  cQ0 

-> 

cTo  T 

g  A  aFi  A  bFi 

-> 

cFo  T 

“i aTj  A  -iaFj  — »  aj, 
-i6Tj  A  -i  bFi  — ■>  6J, 

->a  A  ->b  gl 

'dQi  A  'bQi  ^ 

^5  A  -icQo  — >  cT0j 

cE0|. 


Each  data  bit  is  now  represented  by  three  signals:  cQa  is  true  if  any  of  the 
input  bits  is  non-zero;  cTa  is  true  if  any  of  the  input  bits  is  non-zero  and  they 
are  all  valid;  and  cF0  is  true  if  all  input  bits  are  zeros.  Similar  conventions 
hold  for  the  input  signals  if  they  are  generated  from  another  quick-decision 
zero-checker.  If  the  input  is  from  a  binary  register,  then  aQt  is  the  same 
signal  as  aTl. 

Note  that,  in  a  tree  of  zeroQ1  s,  the  latency  between  one  of  the  input  bits 
assuming  a  non-zero  value  and  the  final  cQa  becoming  true  is  simply  the 
delay  of  a  tree  of  OR-gates.  So,  zeroQ  serves  as  another  example  of  a  useful 
PR  set  containing  a  guard  with  disjuncts  (namely,  aQt  and  b Qt )  that  are  not 
mutex. 
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Chapter  3 

Event-Rule  Systems 


We  begin  this  chapter  by  describing  the  Event-Rule  Systems  (ER-systems) 
invented  by  Burns  [6]  and  showing  how  they  can  be  used  to  model  simple 
systems.  We  then  point  out  some  of  the  difficulties  involved  when  ER-systems 
are  used  to  model  data- dependent  systems  or  ones  with  multiple- occurrences . 
Finally,  we  will  argue  the  need  of  a  new  abstraction  to  describe  systems  that 
are  inherently  disjunctive. 


3.1  Event-Rule  Systems 

Definition:  A  (general)  event-rule  system  (ER-system)  is  a  pair  y  =  ( E ,  R) 
where 


•  E  is  a  (possibly  infinite)  set  of  events ;  and 

•  R  is  a  (possibly  infinite)  set  of  rules  where  each  rule  r  is  a  triple  (e,  /,  a), 
written  as  e  A/,  and  e  €  E  is  the  source  of  r,  f  €  E  is  the  target  of  r. 
and  a  G  [0,  oo)  is  the  delay  of  r. 


Definition:  A  timing  function  for  an  ER-system  y  =  (E,  R)  is  a  function  t 
from  E  to  [0,  oo)  such  that 

Ve,  /,  a  :  e  A/  g  R  :  t(f)  >  t{e)  +  a.  (3-1) 
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Intuitively,  t(f)  is  the  time  at  which  event  /  occurs.  If  we  let 
C={e:  (3a  ::  eAf  e  R)  :  e}, 

then  (3.1)  specifies  that  /  cannot  occur  until  every  event  in  C  has  occurred; 
hence,  C  will  be  referred  to,  in  this  paper,  as  the  cause  set  of  /. 

For  periodic  systems,  the  concept  of  repetitive  ER-systems  is  introduced. 

Definition:  A  repetitive  ER-system  is  a  pair  y'  =  (E1,  R')  where 

•  E'  is  a  finite  set  of  transitions ;  and 

•  R'  is  a  finite  set  of  rule  templates  where  each  rule  template  r'  is  a  tuple 
( u ,  v.  a,  e)  and  R'  C  E'  x  E'  x  [0,  oo)  x  Z. 

Each  repetitive  ER-system  y'  =  ( E ',  R ')  induces  a  general  ER-system 
y  =  (E1  R)  where 

•  E  =  E'  x  IN;  and 

•  R  =  {u,  v,  i,a,s  :  ( u ,  v,a,e)  G  R'  Ai  >  max{0,  e}  :  (u,i  —  e)  *)}. 

Thus,  each  event  is  an  indexed  occurrence  of  a  transition.  Furthermore,  the 
rule  template  r'  =  (u,v,a,s)  specifies  that  every  occurrence  of  v  has  an 
occurrence  of  u  in  its  cause  set,  with  e  as  a  constant  occurrence- index  offset 
between  the  two  transitions. 

Many  of  the  properties  and  definitions  associated  with  ER-systems  will 
be  extended  in  the  next  chapter  and  their  presentation  will  be  postponed 
until  then.  For  the  rest  of  this  chapter,  we  will  address  the  issues  involved 
in  using  ER-systems  to  model  PR  sets. 


3.2  Closed  Systems 

ER-systems  are  used  to  model  closed  systems,  i.e. ,  ones  where  every  signal 
is  both  an  input  and  an  output.  For  a  PR  set,  this  requirement  implies  that 
the  behavior  of  the  environment  needs  to  be  included  (see  next  section). 
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3.3  Simple  Straightline  Programs 

Without  symmetrization,  the  guards  of  a  PR  set  derived  from  a  simple 
straightline  program  —  a  non-terminating  repetition  of  a  fixed  sequence  of 
different  waits  and  transitions  —  are  conjunctions.  Hence,  the  conversion 
of  this  PR  set  to  a  repetitive  ER-system  is  straightforward  as  the  following 
example  illustrates.  Furthermore,  a  literal  added  by  weakening  a  guard  is 
always  false  when  the  PR  fires;  hence,  this  literal  can  be  ignored  since  it 
does  not  introduce  any  new  causality  relationship. 

Example  3.1:  The  most  liberal  environment  for  the  Q-element  *  [[/,] ;  r0j"; 

I 4;  r0l,  [-irj;  ZJ;  [-/,] ;  4;  la {]  is 

“4  ->  4  To  ->  Tit 

L  ->  ki  -> ra  -*■  n[. 

The  combination  of  this  PR  set  and  the  unsymmetrized  PR  set  in  Exam¬ 
ple  2.9  is  modeled  by  the  repetitive  ER-system  y'  =  (E1,  R ')  where 

•  E'  =  {/it,  lii,  Li,  Li,  ni,  Tit,  rQ t,  Tot  4,  4};  and 

•  R'  =  {  (JiT,r0T,ao,0),  (4,  ro\,  «i,  1),  {ni,  si,  a2,  0), 

(si,roi,a3,0),  (n t,/ot,a4,0),  <4,  Z0|,  a5,  0), 

{hi,  ^65  0);  (^t  ,  Z0{  ,  0)  ,  (Zot,  Zj{,  ®8j1)  i 

(ZoT,  ZiJ.,09,0),  (r0t,rit,aio,0),  (r0{,  nj.,  an,  0)  } 

with  a’s  being  the  delays  prescribed  by  the  timing  model  under  use.  (For 
CM  PR  sets,  these  delays  may  be  functions  of  transistor  sizes.)  Note  that 
the  second  occurrence  of  r0j  is  caused  by  the  first  occurrence  of  4  and  so 
forth.  Hence,  an  occurrence-index  offset  of  1  is  needed  in  the  rule  template 
for  the  two  transitions.  The  same  observation  holds  for  (Z0j,  4,  a8, 1).  Note 
also  that  the  same  ER-system  is  used  even  if  the  guard  of  is  symmetrized 
to  -i k  V  s  since  Zj  is  true  whenever  r0j  occurs  and,  so,  Zj{  is  not  a  cause  of 

r0[ •  D 

3.4  Multiple  Occurrences 

Consider  the  toggle  *  [X;  X;  F] .  A  handshaking  expansion  for  it  is 
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*[|>j]f  XoV:  [  £;] :  u t;  i-'t:  xa{]  [£jl|  «!;  £GT; 

1424;  y4;  ^4;  [y4;  4;  */4;  [-,y«]  ]■ 

A  possible  PR  rule  for  £0  j  is 

Xi  A  -ij/j  A  -iv  V  -iyc  A  -lit  A  v  — >  £0j\ 

One  of  the  requirement  of  a  repetitive  ER-system  is  that  the  z-th  occurrence 
of  a  transition  t  must  be  caused  by  the  (i  —  e)-th  occurrence  of  another 
transition  s,  where  e  is  independent  of  i.  In  this  example,  x0]  occurs  twice 
for  each  occurrence  of  and,  therefore,  the  system  cannot  be  modeled 
directly  as  a  repetitive  ER-system. 

The  remedy  is  obvious.  For  now,  let  us  define  a  cycle  as  a  sequence 
of  transitions  whose  occurrences  return  the  system  back  to  the  state  it  was 
before  these  occurrences  have  taken  place.  So,  in  this  example,  a  cycle  is 


(zit,  x0 1,  Xii,  «T,  4,  x0i,  Xjt,  ui,  Xo\,  Xii,  yQ t,  x0l,  y4,  vj,  y0|,  y4). 

It  is  then  sufficient  to  rename  the  transitions  so  that  each  transition  in  a 
cycle  has  a  distinct  name.  For  the  toggle  above,  let  each  odd  occurrence  of 
xa "f  be  renamed  £14  and  each  even  occurrence  x2a'\.  Then,  the  PR  above 
can  be  written  without  a  disjunction  as 

Xi  A  -i y,  A  -iv  — >  x\q\  -i ya  A  -lit  A  v  — >  £20|. 

Moreover,  the  i-th  occurrence  of  xl4  is  caused  (in  part)  by  the  ( i  —  l)-th 
occurrence  of  y,j,  etc.  Hence,  the  system  can  be  modeled  as  a  repetitive 
ER-system. 

For  this  simple  example,  finding  a  cycle  and  determining  how  many  times 
each  transition  occurs  is  relatively  easy.  However,  for  general  cases  involving 
programs  with  vacuous  brings  or  initial  transient  behavior,  such  a  task  is  no 
longer  trivial.  The  situation  becomes  even  more  complicated  when  there  are 
data-dependencies  as  described  below. 


3.5  Data-Dependent  Systems 

Consider  the  following  PR  from  ireg  of  Sub-section  2.5.1: 
pTi  Ail  V  pFi  A  £0  — >  p04. 
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Suppose  a  fixed  environment  which  never  sets  both  pTi  and  pFi  true  si¬ 
multaneously  has  been  included.  Then,  a  particular  occurrence  of  p0_J,  is 
caused  by  the  occurrences  of  either  pTjj  and  xl]  or  by  the  occurrences  of 
pFi'l  and  zO'f  but  never  both  alternatives.  Thus,  the  PR  set  can  be  mod¬ 
eled  by  a  repetitive  ER-system  provided  that  we  know  which  occurrences  of 
Po-l  are  caused  by  occurrences  of  pTrf  and  x\]  and  which  other  occurrences 
of  Po-i  are  caused  by  occurrences  of  pFf\  and  zO'f.  As  another  example  of 
complications  that  arise  from  data-dependencies,  the  PR  for  zOJ,  in  ireg  is 

pTi  —r  zOj. 

However,  depending  on  the  sequence  of  actions  issued  by  the  environment, 
xt)  may  already  be  false  when  a  particular  occurrence  of  pTf\  takes  place. 
Hence,  this  occurrence  does  not  cause  any  real  occurrence  of  xOJ,  in  spite  of 
the  PR  above. 

In  general,  the  causality  relationships  between  transitions  in  a  PR  set  can 
be  ascertained  only  through  simulation.  However,  exhaustive  simulation  is 
usually  too  costly  and,  as  the  following  example  shows,  depth-first  simulation 
may  result  in  a  cycle  that  contains  more  transitions  than  necessary.  Since 
the  complexity  in  finding  the  performance  of  the  corresponding  repetitive 
ER-system  increases  dramatically  with  the  length  of  this  cycle,  in  Chapter  6, 
we  have  developed  a  simple  algorithm  which  guarantees  that  the  cycles  it 
finds  are  “minimal.”  To  establish  this  algorithm,  the  theoretical  background 
on  the  properties  of  cycles  will  be  presented  in  Chapter  5. 

Example  3.2:  Consider  the  following  PR  set: 


- <a3  A  — ic  — >  al'l 

al  A  -ia3  — >  a2j 

a2  A  (— ife3  V  62  V  c)  ->  a3| 

a3  A  c  — >  a2j 

-ia2  A  a3  — >  alj 

- ial  A  (63  V  “161  V  — >c)  — >  a3j 

— >53  A  —ic  —>  bl] 

61  A  -i63  -»■  62t 

62  A  (-ia3  V  al  V  c)  — >  63| 

63  A  c  — >  62| 

— >62  A  63  ->  61| 

— 1 6 1  A  (a3  V  - ia2  V  — i c)  — >  63 J, 
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a2  A  b2  — >■  c| 

- ial  A  — 1 6 1  — »  cj,. 

Its  state  graph  is  shown  in  Figure  3.1.  Each  circle  represents  a  state  and 
is  labeled  with  three  digits  ABC  where  A  is  the  value  of  the  binary  vector 
(a3  a2  a  1),  B  is  the  value  of  (b 3  b 2  b  1),  and  C  is  the  binary  value  of 
c.  Each  edge  represents  the  transition  that  causes  the  corresponding  state 
change.  To  avoid  cluttering  up  the  graph,  only  some  of  the  edges  are  labeled. 
It  can  be  shown  that  the  graph  contains  all  states  reachable  from  the  initial 
state  (marked  000)  where  every  variable  is  false.  Furthermore,  no  two  circles 
in  the  graph  represent  the  same  state. 

Now,  in  depth-first  simulation,  at  every  state,  the  most  recently  enabled 
transition  is  fired  and  the  algorithm  proceeds  to  the  new  state  that  results 
from  that  bring.  When  the  new  state  is  one  that  has  been  encountered 
before,  the  algorithm  terminates  and  reports  the  cycle  found.  So,  starting  at 
the  initial  state  000,  the  bold  edges  in  Figure  3.1  shows  a  possible  cycle  found 
by  depth-first  simulation.  Note  that  all  states  on  the  cycle  are  different  and 
yet  it  should  be  clear  that  there  is  a  smaller  cycle,  half  as  long,  that  contains 
the  same  set  of  transitions.  □ 

3.5.1  Environmental  Scenarios 

As  illustrated  by  the  discussion  on  ireg  above,  the  causality  relationships 
between  occurrences  in  a  data-dependent  system  depend  on  the  particular 
choices  made  by  the  environment.  Hence,  in  general,  one  can  evaluate  the 
performance  of  such  a  system  only  under  a  fixed  environmental  scenario.  To 
get  a  better  indication  of  the  overall  performance  of  the  system,  one  can 
combine  the  performance  evaluations  from  different  environmental  scenarios 
by  weighting  each  according  to  its  probability.  As  we  shall  see,  the  per¬ 
formance  of  a  circuit  can  be  expressed  as  a  function  of  its  transistor  sizes; 
hence,  by  optimizing  the  combination  of  these  functions  from  different  scenar¬ 
ios,  appropriate  transistor  sizes  can  be  determined.  Furthermore,  by  adding 
constraints  —  such  as  one  requiring  that  the  transistors  used  in  setting  a 
bit  true  have  the  same  sizes  as  those  for  setting  it  false  —  it  is  possible  to 
obtain  proper  sizes  even  for  transistors  that  are  not  exercised  under  a  given 
scenario.  Consequently,  in  the  sequel,  it  will  be  assumed  that  a  “typical” 
environmental  scenario  has  been  selected  for  the  PR  set  under  consideration. 
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Figure  3.1:  Depth- first  simulation 
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3.6  Inherently  Disjunctive  Systems 

Consider  zeroQ,  the  quick-decision  zero-checker  from  Sub-section  2.5.6.  If 
the  environment  sets  both  aQi  and  bQi  to  true,  then  the  subsequent  occur¬ 
rence  of  cQ0 1  is  caused  by  either  aQi\,  or  bQi'l,  or  both,  depending  on  the 
delays  between  these  transitions  and  cQot-  Note  that  this  is  a  fundamentally 
different  situation  from  a  data-dependent  system,  where  every  occurrence 
has  a  unique  set  of  causes  independent  of  the  delays.  Here,  an  event  has 
more  than  one  set  of  causes  and,  consequently,  cannot  be  modeled  by  an 
ER-system.  Such  a  system  is  said  to  be  inherently  disjunctive  [6].  The  gen¬ 
eralization  of  ER-systems  to  describe  such  a  system  is  the  topic  of  the  next 
chapter. 


3.7  Arbiters  and  Synchronizers 

As  mentioned  before,  program  parts  dealing  with  arbitration  and  synchro¬ 
nization  of  negated  probes  cannot  be  described  by  stable  PR’s.  In  our 
approach  to  performance  analysis,  these  arbiters  and  synchronizers  are  re¬ 
garded  as  belonging  to  the  environment  and  the  user  is  required  to  specify 
their  non-deterministic  behavior  by  selecting  the  appropriate  environmental 
scenarios. 
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Chapter  4 

Extended  Event-Rule  Systems 


In  an  extended  ER-system  ( XER-system ),  an  event  may  have  more  than 
one  set  of  causes.  Hence,  XER-systems  can  be  used  to  model  inherently 
disjunctive  systems.  In  this  chapter,  we  will  demonstrate  how  to  compute 
the  period  of  a  repetitive  XER-system  and  show  that  this  period  gives  a  good 
indication  of  the  performance  of  the  system.  Most  of  the  definitions  and 
results  for  XER-systems  have  counterparts  in  ER-systems.  Moreover,  most 
of  the  proofs  in  this  chapter,  with  the  notable  exception  of  those  in  Section  4.4 
and  Section  4.7,  are  extensions  to  those  given  in  [6]. 


4.1  General  Extended  Event-Rule  Systems 

The  source  of  a  rule  in  an  XER-system  is  a  set  of  events.  Furthermore, 
having  more  than  one  rule  with  /  as  target  specifies  that  /  has  more  than 
one  possible  set  of  causes.  Since  there  may  be  more  than  one  delay  associated 
with  each  rule,  an  explicit  function  A  is  introduced  to  specify  the  delay 
between  two  events  when  one  is  a  cause  of  the  other.  These  concepts  are 
formalized  in  the  following  definitions. 

Definition:  A  ( general )  extended  event-rule  system  (XER-system)  is  a  triple 
X  =  {E,R,  A)  where 

•  E  is  a  (possibly  infinite)  set  of  events ; 

•  R  is  a  (possibly  infinite)  set  of  rules  where  each  rule  is  a  pair  ( C,f ), 

written  as  with  /  e  E  A  C  C  E  and,  for  every  /  in  E,  there 
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exists  at  least  one  rule  C  f  in  R  (C  may  be  empty);  and 
•  A  is  a  delay  function  such  that  A  :  V— >[0,  oo)  with 

V  =  {e,f,C:C^f(ERAeeC:(e,f,C^f)}. 

The  initial  event  set  of  X  is 

init(A’)  =  {/  :  0i— >/  E  R:  f}. 

For  a  rule  r  =  C  !—>■/,  the  source  set  of  r  is  src(r)  =  C,  and  the  target  of  r 
is  tar (r)  =  /.  A  rule  is  empty  if  its  source  set  is  empty.  Also,  C  is  called  a 
set  of  causes  (or  a  cause  set )  of  /  if  C  /  is  a  rule.  The  set  of  all  cause  sets 
of  /  is  {C  :  Ci— >  f  G  R  :  C }.  An  event  /  is  said  to  be  disjunctively  caused  if 
it  has  more  than  one  set  of  causes.  An  XER-system  is  said  to  be  conjunctive 
if  none  of  its  events  is  disjunctively  caused. 

Example  4.1:  As  an  example  of  an  XER-system,  consider  X  =  (E,R,  A) 
where 


•  E  =  {a,  b,  c,  d,  e}; 

•  R  =  {0  a  ,  {a}  i  *  b  ,  {a}  c  ,  {a}  d  ,  {6,  c}  h- >  e  ,  {d}  i— >  e};  and 

•  A(a,  6,  {a}  n->&)  =  1  ,  A(a,  c,  {a}  h->c)  =  1  ,  A(a,  d,  {a}  n->d)  =  1  , 

A (6,  e,  {6,  c}H->e)  =  2  ,  A(c,  e,  {6,  c}  i — >e)  =  8  ,  A(d,  e,  {d}  t->e)  =  3. 

Then,  init(A’)  =  {a}  and  0i-^g  is  the  only  empty  rule.  For  the  rule  {b,  c}  i — ^  e, 
src({6,  c}  H-^e)  =  {6,  c},  and  tar  ({6,  c}n->e)  =  e.  Also,  {6,  c}  and  {d}  are 
sets  of  causes  of  e;  thus,  e  is  disjunctively  caused  and  X  is  not  conjunctive. 
□ 

Intuitively,  a  rule  C*->f  specifies  the  timing  constraint  that  the  event 
/  can  occur  only  if  all  events  in  C  have  occurred  and  a  proper  amount  of 
delay  (as  specified  by  A)  has  elapsed.  When  there  are  two  or  more  rules 
with  target  /,  then  /  can  occur  if  the  timing  constraint  imposed  by  any  of 
these  rules  can  be  satisfied.  So,  in  the  previous  example,  e  can  occur  only 
if  either  both  b  and  c  have  occurred,  or  d  has  occurred.  These  concepts  are 
formalized  by  the  following  definition. 
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Definition:  A  timing  function  for  X  =  ( E ,  R,  A)  is  a  function  t  :  E 
such  that1 

V/  :  /  G  E  :  (  3r  :  r  e  R  A  /  =  tar(r)  : 

(Ve  :  e  G  src(r)  :  t(/)  >  f(e)  +  A(e,  f,r))  ). 

An  XER-system  is  feasible  if  there  exists  a  timing  function  for  it. 

Example  4.2:  The  XER-system  in  the  previous  example  is  feasible  since  t, 
where  t(a)  =  0 ,t(b)  =  1  ,t(c)  =  1  ,t(d)  =  1  ,  f(e)  =  4,  is  a  timing  function  for 
it.  □ 

Note  that  in  this  example,  the  values  of  A  are  numerically  given  and  it 
can  be  shown  that  the  rule  {£>,  c}  i — ^  e  can  be  removed  without  affecting  the 
corresponding  set  of  timing  functions.  However,  when  one  wants  to  optimize 
the  performance  of  an  XER-system,  the  values  of  A  are  themselves  functions 
of  other  variables  and,  consequently,  it  cannot  be  decided  in  advance  which 
of  the  possible  sets  of  causes  for  an  event  can  be  removed.  Thus,  in  general, 
an  XER-system  cannot  be  reduced  to  one  that  is  conjunctive. 

4.1.1  Conjunctive  General  XER-Systems 

As  the  following  lemma  shows,  any  conjunctive  XER-system  can  be  trans¬ 
formed  into  an  equivalent  ER-system. 

Lemma  4.1  Let  X  =  (E,  R,  A)  be  a  conjunctive  XER-system.  Then ,  there 
exists  an  ER-system  such  that  the  two  systems  have  the  same  set  of  timing 
functions. 

Proof:  Let  y  =  {Ey,  Ry)  be  the  ER-system  where  Ey  =  E  and 

Ry  =  {e,  f,r,a  :  a  U  2) 

r  E  R  A  e  G  src(r)  A  /  =  tar(r)  A  A(e,  f,r)  =  a  :  en>/}.  1  '  ’ 

Now,  since  X  is  conjunctive,  for  every  /  in  E,  there  exists  a  unique  rule  f 
in  R  with  target  /.  By  the  construction  of  Ry,  eAj  e  Ry  if  and  only  if 
e  €  src(f )  A  A(e,  /,  f)  =  a.  So,  (4.1)  and  (3.1)  are  equivalent  and  the  lemma 
is  established.  Q.E.D. 

1For  succinctness,  a  minor  liberty  with  the  functional  notation  has  been  taken  and 
A (e,f,r)  is  used  as  an  abbreviation  for  A ((e,f,r))  and  similarly  for  other  functions. 


[0,  oo) 
(4.1) 
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4.1.2  Constraint  Graphs 


Definition:  The  constraint  graph  for  an  XER-system  X  =  ( E ,  R,  A)  is 
the  directed  labeled  bipartite  graph  G  =  (V,A)  with  V  =  VE  W  VR  and 
A  =  Aa  [p  Av  where 

•  Ve  is  the  set  of  event  vertices ,  one  corresponding2  to  each  event  in  E, 

•  Vr  is  the  set  of  rule  vertices,  one  corresponding  to  each  rule  in  R, 

•  Aa  =  {e,  f,  r  :  r  €  R  A  e  e  src(r)  A  f  =  tar(r)  :  (e,  r,  A(e,  /,  r))}  is 
the  set  of  conjunctive  arcs,  and 

•  Aw  =  {r,  f  :  r  e  R  A  f  =  tar(r)  :  (r,  f,  0)}  is  the  set  of  disjunctive 
arcs. 

For  an  arc  (e,  r,a),  a  is  called  the  weight  of  the  arc. 

Example  4.3:  The  constraint  graph  for  the  XER-system  in  Example  4.1  is 
shown  in  Figure  4.1.  The  following  conventions  have  been  adopted:  event 
vertices  are  drawn  as  circles,  rule  vertices  as  boxes,  conjunctive  arcs  are 
drawn  smooth,  and  disjunctive  arcs  are  drawn  with  wiggles.  Note  that  since 
the  labels  on  all  disjunctive  edges  are  zeros,  they  are  not  included  in  the 
picture.  □ 


Ancestors  at  Infinite  Distances 

Example  4.4:  Consider  the  XER-system  X  =  ( E ,  R,  A)  where 


•  E  =  {i  :  i  e  IN  :  a,}, 


•  R  =  {i  :  i  €  IN  :  {aj+i}  i— >a,},  and 

•  0>ii  {O'i+l}  1  —  &• 

2For  succinctness,  the  same  name  is  used  for  an  event  and  the  event  vertex  to  which 
it  corresponds;  the  context  in  which  the  name  is  used  should  resolve  any  ambiguity.  The 
same  convention  is  used  for  a  rule  and  the  corresponding  rule  vertex. 
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Figure  4.1:  Constraint  graph  for  Example  4.1 


Figure  4.2a  shows  its  constraint  graph.  If  there  is  a  path  from  vertex  v  to 
vertex  w  in  the  graph,  then  v  is  an  ancestor  of  w  and  the  distance  between 
them  is  the  number  of  arcs  in  the  path.  Note  that  every  vertex  in  Figure  4.2a 
has  an  ancestor  at  an  infinite  distance  from  it  and  that  X  is  feasible  only  if 
a  =  0.  □ 

If  v  and  w  are  event  vertices  and  w  is  an  ancestor  of  v  at  an  infinite 
distance,  then  the  occurrence  of  v  depends  on  the  occurrence  of  w,  which 
took  place  infinitely  long  ago.  Since  this  situation  is  unrealistic,  in  the  se¬ 
quel,  XER-systems  whose  constraint  graphs  contain  vertices  with  ancestors 
at  infinite  distances  will  be  excluded  from  consideration.  Note  that  the  graph 
itself  may  be  infinite  provided  the  distance  between  every  vertex  and  any  of 
its  ancestors  is  finite  (but  not  necessarily  bounded). 
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Figure  4.2:  Pathological  constraint  graphs 

Vertices  with  Infinite  In-degrees 

In  a  constraint  graph,  if  a  rule  vertex  r  =  C  h->  /  has  an  infinite  in-degree  (see 
Figure  4.2b),  then  | Cj  =  oo  and  the  event  /  can  occur  due  to  this  set  of  causes 
only  after  the  infinite  number  of  events  in  C  have  already  occurred.  Similarly, 
if  an  event  vertex  /  has  an  infinite  in-degree  (Figure  4.2c),  then  /  have  infinite 
number  of  possible  sets  of  causes.  To  avoid  these  pathological  situations  that 
do  not  correspond  to  realistic  systems,  only  XER-systems  whose  constraint 
graphs  contain  no  vertices  with  infinite  in-degrees  are  considered. 

Cyclic  Constraint  Graphs 

In  [6],  Burns  shows  the  analog  of  the  fact  that  if  an  XER-system  is  conjunctive 
and  feasible,  then  the  sum  of  the  weights  along  the  arcs  in  any  cycle  in 
its  constraint  graph  is  zero.  Furthermore,  the  vertices  in  that  cycle  can 
then  be  “merged”  together  and  be  treated  as  a  single  vertex  for  the  purpose 
of  defining  timing  simulation  as  presented  in  the  next  sub-section.  As  the 
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following  example  shows,  however,  these  results  do  not  hold  if  the  XER- 
system  is  not  conjunctive. 

Example  4.5:  Consider  the  XER-system  X  =  (E,  R,  A)  where 

•  E  =  {a,  b,  c}, 

•  R  =  {0H->a  ,  {a}  i— >c  ,  {6}h->c  ,  {c}h->6},  and 

•  A(a,  c,  {a}  h->c)  =  ct  ,  A (b,  c,  {6}  i— >c)  =  ,  A(c,  b,  {c}  i — ^ 6)  =  1. 

Its  constraint  graph  is  shown  in  Figure  4. 2d  and  a  timing  function  for  it  is 

t(a)  =  0  ,  t(b)  =  a  +  1  ,  t(c)  =  a. 

In  fact,  regardless  of  the  values  of  a  and  (3,  t(c )  <  t(b).  Thus,  this  system  is 
equivalent  to  one  where  the  rule  {6}  i — ^  c  is  removed.  □ 

As  this  example  demonstrates,  if  an  XER-system  is  feasible,  then  any 
cycle  with  non-zero  weight  contains  an  arc  that  arises  from  an  unnecessary 
rule.  Also,  an  XER-system  with  a  cyclic  constraint  graph  implies  there  is  an 
event  (like  c  above)  which,  indirectly,  can  cause  itself  to  occur.  Since  such 
systems  occur  rarely,  if  at  all,  in  practice,  it  is  assumed  that  in  the  sequel, 
all  constraint  graphs  are  acyclic. 


4.1.3  Timing  Simulation 

Since  we  consider  only  XER-systems  with  acyclic  constraint  graphs  that  do 
not  contain  vertices  with  ancestors  at  infinite  distances  or  vertices  with  in¬ 
finite  in-degrees,  the  following  function  is  well-defined.  Note  that  the  min¬ 
imization  is  over  all  rules  with  target  /  and  the  maximization  is  over  all 
events  in  the  source  set  of  each  of  these  rules. 

Definition:  For  an  XER-system  X  =  (E,  R,  A),  t  :  E— >[0,  oo)  defined  below 
is  called  the  timing  simulation  of  X : 


i(f ) 


def  I 


0 

min{r  :  (r  E  R)  A  (/  =  tar(r))  : 
max{e  :  e  €  src (r)  :  t(e )  +  A(e,  /,  r)}} 


if  /  G  init(A’) 
if  /  ^  init(A’). 


(4.3) 
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Example  4.6:  The  timing  function  given  in  Example  4.2  is  the  timing 
simulation  of  the  corresponding  XER-system.  □ 

Lemma  4.2  The  timing  simulation  of  X  is  a  timing  function  of  X  and  for 
any  timing  function  t  of  X , 

Me  :  e  €  E  :  t(e)  <  t(e). 

Proof:  If  /  is  in  init(A’),  then  (4.1)  holds  since  there  exists  an  empty  rule 
with  target  /.  If  /  is  not  in  init(A’),  then  there  exists  a  r  such  that 

£(/)  =  max{e  :  e  G  src(r)  :  t(e)  +  A(e,  /,  r)} 

and  this  equality  implies 

Ve  :  e  G  src(r)  :  t(f)  >  1(e)  +  A(e,  /,  r )  (4.4) 

and,  so,  t  is  a  timing  function  of  X. 

For  a  given  timing  function  t,  let 

Z  =  {e  :  t(e)  >  t(e)  :  e}. 

If  A  is  not  empty  then  let  /  be  an  event  in  Z  such  that  for  any  event  e  and 
rule  r 

e  G  src (r)  A  /  =  tar(r)  ^  e  ^  Z.  (4.5) 

Such  an  event  exists  since  the  constraint  graph  is  acyclic. 

If  /  G  init(A’),  then  t(f)  <  t(f )  =  0  which  is  a  contradiction.  Alterna¬ 
tively,  if  /  ^  init(A’),  then  by  the  definition  of  a  timing  function,  there  exists 
a  rule  r  such  that 

t(f)  >  max{e  :  e  €  src(r)  :  t(e)  +  A (e, /,f)}. 

But,  by  (4.5),  the  right  side  of  the  above  inequality  is  at  least 

max{e  :  e  G  src(r)  :  t(e)  +  A(e,  /,  f)}  >  t(/) 

where  the  last  inequality  is  due  to  the  minimality  of  t(f)  in  (4.3).  Thus, 
t(f)  >  t(f)  in  contradiction  to  the  assumption  that  /  G  Z.  Thus,  Z  is 
empty  and  the  lemma  is  established.  Q.E.D. 
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4.2  Repetitive  XER-Systems 

A  general  XER-system  is  difficult  to  analyze  due  to  the  fact  that  it  may  have 
a  large  number  of  arbitrary  timing  constraints.  Fortunately,  the  systems 
that  we  are  interested  in  exhibit  regular  behavior  and  can  be  modeled  by  a 
“repetitive”  XER-system  as  defined  below. 

Definition:  A  repetitive  XER-system  X'  is  a  quadruple  ( E ',  R',  8,  8)  where 

•  E'  is  a  finite  set  of  transitions ; 

•  R'  is  a  finite  set  of  templates  where  each  template  is  a  pair  (C’,v), 
written  as  C' i— ■ >v,  with  v  E  E'  A  C'  C  E'  and,  for  every  v  in  E',  there 
exists  at  least  one  template  C' i— >v  in  R'\ 

•  8  is  a  delay  function  such  that  8  :  V— >[0,  oo)  with 

V  =  {u,  v,  C'  :  C' e  R'  A  u  G  C'  :  {u,  v,  C' i— >u)};;  and 

•  8  is  an  occurrence- index  offset  function  such  that  8  :  V— >Z. 

The  maximum  occurrence-index  offset  of  X'  is 

#max  =  max({u,  v,  q  :  ( u ,  v,  q)  G  V  :  6l(w,  n,  g)}  U  {0}).  (4.6) 

For  a  template  q  =  C"  i— the  source  set  of  q  is  src (q)  =  C",  and  the  target 
of  q  is  tar(g)  =  v.  Also,  C'  is  called  a  set  of  causes  for  v,  if  C'  h->u  is  a 
template.  A  transition  v  is  said  to  be  disjunctively  caused  if  it  has  more 
than  one  set  of  causes.  A  repetitive  XER-system  is  conjunctive  if  it  has  no 
transition  that  is  disjunctively  caused. 

Example  4.7:  Consider  the  following  program  which  waits  for  either  of  two 
input  channels  to  be  activated,  performs  an  output  communication  C,  and 
then  complete  both  input  communications: 

*[[A  V  B  — +  C\  A  •  B  ]]. 

One  reshuffled  handshaking  expansion  for  this  program  is 

V  bf\ ;  c0t;  [O  A  a,  A  bf\ ;  sf;  (acT  ||  bQ]  ||  c0j); 

[-ic*  A  -la*  A  -i6j] ;  sj;  (a0j  ||  bQ j)] 

which  compiles  into  the  following  PR  set: 
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-is  A  (a*  V  bi)  — >■  Cot  5  — >■  c0j 

Cj  A  a,  A  bi  — >  4  -iCj  A -iaj  A -ifij  — >  4 

s  *  a„t  *  ^4 

5  —*•  bQ t  ->s  ->  60|. 

Assuming  that  the  environment  is  just  independent  processes  completing  the 
communications  on  A,  B ,  and  C,  and  that  initially  all  variables  are  false, 
this  PR  set  can  be  described  by  the  repetitive  XER-system  X'  =  { E R',  6,  9) 
where 

•  E1  =  {ait,  a4,  a0t,  a0h  bi t,  bii ,  64,  64,  C4,  c4,  c„T,  c4,  4,  4}; 

•  R'  =  {  {4,  Oit}1— »•  Cot,  {444}^c4,  {Cit,  a444}*-^st, 

{4}^a4,  {4}^64,  {s|}i->c0J., 

{c4,  a»J.,  64}|-^sJ.>  {4}^«4,  {sJ,}i->&4, 

{a0|}s->a4,  {a0f}i-^a4,  {64}h->64, 

{bolj^bii,  {c0T}i-^Cit,  {c4} h->  c4  }; 

•  8  is  some  function  depending  on  the  timing  model  being  used  —  for 
concreteness,  we  will  assume  S(u,v,q)  =  8V  in  this  example;  and 

•  0(4,  c4,{sj,  ait}  s->  c0t)  =  1,  0(4,  cj, {4,64}  CoT)  =  1, 
0(aol,arf,{ciol}  !-►  <4)  =  1,  0(64,64,(64}  ^  64)  =  1,  and 
9{u.  v,  q)  =  0  for  any  other  combination  of  u ,  v,  and  q  in  the  domain  of 
9. 

Note  that  if  9(u,v,q )  =  1,  then  it  is  the  occurrence  of  transition  u  in  the 
previous  iteration  that  causes  the  occurrence  of  transition  v  in  the  current 
iteration.  Since  cGt  is  disjunctively  caused,  X'  is  not  conjunctive.  Also, 
0max  =  1-  O 

A  repetitive  XER-system  X'  can  be  viewed  as  a  specification  of  a  (general) 
XER-system  X.  The  events  of  X  are  of  the  form  (u,i)  where  u  is  a  transition 
of  X 1  and  i  is  a  natural  number  called  the  occurrence  index  of  the  event.  The 
rules  of  X  are  to  be  generated  by  the  templates  of  X'.  Intuitively,  if  v  is  the 
target  of  a  template  q  and  u  is  a  transition  in  the  source  set  of  q,  then  there 
is  a  rule  r  such  that  (v,  i)  is  the  target  of  r  and  an  event  (u,j)  is  in  the  source 
set  of  r.  The  difference  between  i  and  j  is  specified  by  the  function  9  and 
hence  its  name.  The  following  definitions  formalize  these  notions. 
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Definition:  For  a  template  q  =  C'y->v  and  a  natural  number  i.  the  i-th 
instantiation  of  q  is  the  rule  q\i  =  C*->(v,i)  where 

C  =  {«,  :  u  G  C'  A  i  >  6I('U,  n,  5)  :  (u,i  —  9{u.  v,  §))}.  (4-7) 


Note  that  if  i  >  9 max,  then 

u  G  src(g)  {u,i  —  9(u,  v,  q))  G  src(g|~i).  (4.8) 


Example  4.8:  Let  5  be  the  first  template  listed  in  the  previous  example. 
Then, 


q\i 


{<OiT>  0)} |— »■  (Cot)  0)  if  i  =  0 

{(4,  *  -  1),  (ait,  *)}  ^  (Co T,  *)  if  i  >  0. 


□ 


Definition:  A  repetitive  XER-system  X'  =  (E1,  R',  6,  9)  induces  or  gener¬ 
ates  the  XER-system  X  =  (E,  R,  A)  where 

•  E  =  {u,  i  :  u  G  E'  A  i  G  IN  :  (u,i)}] 

•  R  =  {q,i  :  q  e  R'  A  i  e  \U  :  q [i};  and 

•  A ((u,  j ),  (v.  i),q\i )  =  <S(w,  v,  q)  with  the  domain  of  A  being 

V  =  {u,j,v,i,q  :  (v,i)  =  tax(q\i)  A  (u,j)  G  src(g[«)  : 

(4,  j), 


Note  that  this  construction  is  well-defined  since 

{v,i),q\i)  G  V  =>•  G  D'. 

Also,  by  the  construction  described  above,  a  conjunctive  repetitive  XER- 
system  (one  set  of  causes  per  transition)  induces  a  conjunctive  general  XER- 
system  (one  set  of  causes  per  event).  For  brevity,  a  timing  function  (or  the 
timing  simulation)  of  X  is  also  referred  to  as  a  timing  function  (or  the  timing 
simulation)  of  X' . 
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4.2.1  Conjunctive  Repetitive  XER-Systems 

A  repetitive  XER-system  is  the  analog  of  a  repetitive  ER-system  defined  in 
the  previous  chapter.  As  expected,  there  is  a  natural  correspondence  between 
a  conjunctive  repetitive  XER-system  and  a  repetitive  ER-system. 

Lemma  4.3  Let  X'  =  (E1,  R' ,  <5,  9)  be  a  conjunctive  repetitive  XER-system. 
Then,  there  exists  a  repetitive  ER-system  such  that  the  two  systems  have  the 
same  set  of  timing  functions. 

Proof:  Consider  the  repetitive  ER-system  y'  =  ( Ey ,  R'y)  where  E'y  =  E' 
and 

Ry  =  {u,  v,  a,  e,  q  :  q  €  R'  A  u  G  src(g)  Av  =  tar  (q)  A  ,  . 

6(u,  v,  q)  =  a  A  9{u,  v,  q)  =  £  :  (u,  v,  a,  e)}.  1  ' 

Let  X  =  ( E ,  R ,  A)  be  the  XER-system  induced  by  X'  and  y  =  ( Ey ,  Ry)  be 
the  ER-system  induced  by  y' .  Then,  Ey  =  E'  implies  Ey  =  E.  Let  (v,i)  be 
an  event  in  E.  Since  X'  is  conjunctive,  there  exists  a  unique  template  q  such 
that  q  =  C'\-^v.  Now,  by  construction,  the  only  rule  in  R  with  target  (v,i) 
is  q\i  =  ( C ,  (v,  ?))  where 

C  =  (a  :  a  e  C"  A  i  >  9(u,  v,  q)  :  {u,i  —  9(u,  v,  5))}. 

Next,  by  (4.9),  (u,  it,  a,  e)  is  in  R'y  if  and  only  if 

u  €  C'  A  ol  =  6(u,  v,  q)  A  £  =  9(u ,  v,  q). 

This  relationship  implies  that  the  subset  of  rules  in  Ry  with  target  (v,i)  is 
precisely 

{u  :  u  G  C'  A  i  >  9{u ,  v,  q)  :  (u,i  —  9(u ,  fi,  5))  ^  z)}. 

Since  <S(zz,  fi,  5)  =  A (v,  i),  q\T),  ( u,j )  A(f),  z)  is  a  rule  in  Rj  if  and  only 
if  there  exists  q\i  such  that 

(u,j)  e  src(g[z)  A  (v,i)  =  tar(gfz)  Aa  =  A ((u,j),  {v,i),q\i). 

Since  this  analysis  holds  for  any  v,  Ry  is  related  to  R  by  (4.2).  The  lemma 
then  follows  from  the  proof  of  Lemma  4.1.  Q.E.D. 
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4.2.2  Collapsed-Constraint  Graphs 


Definition:  The  collapsed- constraint  graph  for  a  repetitive  XER-system 
X'  —  ( E ' ,  R' ,  <5,  9)  is  the  directed  doubly-labeled  bipartite  graph  G'  =  (V1,  A') 
with  V'  =  Vf  l+l  Vf  and  A'  =  A'a  i±i  A'v  where 

•  Vf  is  the  set  of  transition  vertices ,  one  corresponding  to  each  transition 
u  in  E' , 

•  Vf  is  the  set  of  template  vertices,  one  corresponding  to  each  template 
q  in  R', 

•  A'a  =  {u,v,q  :  q  €  R'  A  u  €  src(g)  Av  =  tar(g)  :  (u,  q,  A (u,v,q), 
9{u,v,q))}  is  the  set  of  conjunctive  arcs,  and 

•  Aw  =  {q,  v  :  q  G  R'  A  v  =  tar(g)  :  (g,  n,  0,  0)}  is  the  set  of  disjunctive 
arcs. 

For  an  arc  (w,  w' ,  a,e),  a  and  £  are  called  the  weight  and  the  occurrence-index 
offset  of  the  arc,  respectively. 

Example  4.9:  The  collapsed-constraint  graph  for  the  X'  of  Example  4.7  is 
shown  in  Figure  4.3  where  transition  vertices  are  drawn  as  circles,  template 
vertices  as  boxes,  conjunctive  arcs  are  drawn  smooth,  and  disjunctive  arcs 
with  wiggles.  For  clarity,  we  have  adopted  the  convention  that  for  the  con¬ 
junctive  arc  ( u,q,a,s ),  if  £  >  0,  then  the  corresponding  arc  is  drawn  with 
a  number  of  slashes  equal  to  e.  Also,  the  zero  labels  on  the  disjunctive  arcs 
have  been  left  out.  □ 

For  a  path 

P1  =  ( W0,WU  ... ,Wi ) 

in  a  collapsed-constraint  graph,  the  sum  of  the  weights  on  the  arcs  in  p'  will 
be  denoted  as 

i- i 

h(p')  =  in  {wj,wj+1,a,£)), 

3=0 

and  the  sum  of  the  occurrence-index  offsets  of  the  arcs  as 

o(p')  =  in  (Wj,wj+ I,a,e)). 

3=0 
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Figure  4.3:  Collapsed  constraint  graph  for  Example  4.7 


The  following  results  relate  the  collapsed-constraint  graph  of  a  repetitive 
XER-system  X'  to  the  constraint  graph  of  the  general  XER-system  induced 
by*'. 

Lemma  4.4  Let  G'  be  the  collapsed-constraint  graph  of  X'  and  G  be  the 
constraint  graph  of  X ,  the  XER-system  induced  by  X' .  If  there  exists  a  path 
p  in  G  from  event  vertex  ( u ,  j)  to  (v,i),  then  there  exists  a  path  p'  in  G'  from 
transition  vertex  u  to  transition  vertex  v. 

Proof:  If  (( u,j),r ,  ( v,i ))  is  a  path  of  length  2  in  G,  then,  by  construction, 
there  exists  q  G  R'  such  that  r  =  q\i,  v  =  tar(g),  u  G  src (q),  and  j  = 
i  —  9{u,v,q).  Consequently,  (u,q,v)  is  a  path  in  G' .  Since  every  non-empty 
path  from  an  event  vertex  to  an  event  vertex  is  a  concatenation  of  paths  with 
length  2,  the  lemma  is  established.  Q.E.D. 

Lemma  4.5  Let  G  and  G'  be  as  in  Lemma  4-4-  If  there  is  a  path  p'  from 
transition  vertex  u  to  transition  vertex  v  in  G'  then  there  exists  an  I  such 
that,  for  all  i  >  I,  there  exists  a  path  p  from  event  vertex  ( u,i  —  0{p'))  to 
event  vertex  (v,i)  in  G. 

Proof:  Use  induction  on  l,  the  length  of  p' . 

Base  Case:  (/  =  0)  In  this  case,  u  =  v]  so,  let  p  =  (( u ,  i)). 

Inductive  Step:  Assume  that  the  lemma  holds  for  all  p'  with  length  less 
than  or  equal  to  l.  Consider 

a'  =  ((u  =  w0),  w (wi+ 1  =  v)). 

Since  G'  is  bipartite,  wi  is  a  template  vertex  q ,  and  wi-i  is  a  transition  vertex 
u.  So,  o'  be  the  concatenation  of  a  path  p'  with  length  l  —  1  and  the  path 

(u,q,v). 

Now,  by  definition  of  G' ,  u  G  src (q)  and  v  =  tar (q).  But,  by  the 
construction  of  A,  for  all  natural  number  i  such  that  i  >  9{u,v,q),  there 
exists  rule  r  =  q\i  in  X  such  that  (u,i  —  9{u,v,q))  G  src(r)  and  ( v,i )  = 
tar(r).  Letting  e  be  9{u,  v,  q)  implies  ((u,  i  —  e),r,  ( v ,  i))  is  a  path  in  G. 

By  the  inductive  hypothesis,  there  exists  /  such  that  for  all  i  with  (i— e)  > 
/,  there  exists  a  path  p  from  (u,i  —  £  —  9{p'))  to  (u,  i  —  e).  The  concatenation 
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of  this  path  and  ((u,  i  —  e),r,  ( v ,  i))  for  sufficiently  large  i  yields  a  path  from 
(u,i  —  s  —  9{p'))  to  (v,  i).  Since 


9{a')  =  9(p')  +  9(u,  v,q)  +  0  =  Q(p')  +  e, 
the  lemma  is  established. 


Q.E.D. 


4.3  Pseudorepetitive  XER-Systems 

Sometimes,  a  system  being  modeled  exhibits  initial  transient  behavior  prior 
to  entering  its  steady  state.  For  such  a  system,  “pseudorepetitive”  XER- 
systems  are  introduced. 

Definition:  A  pseudorepetitive  XER-system  X"  is  a  pair  (Aq,  X\)  where 

•  X0  =  (E0,  Rq,  A0)  is  a  (general)  XER-system  with  E0  and  i?0  finite 
and  is  called  the  initial  part  of  X"\  and 

•  X[  =  (E[,  R'1,81,9i)  is  a  repetitive  XER-system  and  is  called  the  re¬ 
peated  part  of  X" . 


Example  4.10:  Consider  a  system  where  there  is  an  initial  occurrence  of  b, 
followed  the  endless  repetition  of  the  sequence  (a,b,c).  Then,  this  system 
can  be  described  by  a  pseudorepetitive  XER-system  X"  =  (A0,  X\)  where 

•  X0  =  (  {  (M),  («,0)  }  ,  {  0i— ►  (6,  0) ,  {(b,0)}^(a,0)  }  ,  A0  );  and 

•  X[  =  (  {  a,  5,  c  }  ,  {  {a}h^6  ,  {6}h->c,  {cjn^a  }  ,  ). 

Since  the  i-th  occurrence  of  c  is  caused  by  the  (i  +  l)-th  occurrence  of  b, 
9i(b,c,{b}  e-i ►  c)  =  —1.  By  similar  analyses,  Qi(a,  b,{a}  b)  =  1  and 

6*i (c,  a,  { c}  h->  a)  =  1.  Again,  A0  and  8 1  depend  on  the  timing  model.  The 

way  in  which  X"  specifies  the  original  system  will  be  discussed  after  the  next 
definition.  □ 

Intuitively,  the  XER-system  generated  by  a  pseudorepetitive  XER-system 
X"  is  the  combination  of  its  initial  part  and  the  XER-system  generated  by 
its  repeated  part.  If  an  event  appears  in  both  parts,  then  its  constraints  as 
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specified  in  the  initial  part  take  precedence  over  the  ones  specified  in  the 
repeated  part.  The  construction  below  formalizes  these  notions. 

Definition:  Let  X"  be  a  pseudorepetitive  XER-system  as  defined  above. 
Let  X2  —  {E2,  R2,  A2)  be  the  XER-system  induced  by  X\.  Then,  the  XER- 
system  induced  or  generated  by  X"  is  X  =  (. E ,  R,  A)  where 

•  E  =  Eq  U  E2  5 


•  R  =  Rq  U  (R2  [E0]  with 

R2  \_Eq  =  {C ,  /  :  C 1 — »■  /  £  R2  /\  f  (£  Eq  :  Ct—*  /};  and  (4-10) 


•  A  is  defined  by 


A(e,  /,  r) 


A o(e,/,r)  if  /  G  £0 
A2(e,/,r)  if  /  ^  E’o- 


(4.11) 


Note  that  an  event  in  Eio  can  be  in  the  source  set  of  a  rule  in  Z?2;  hence, 
events  of  this  type  serve  as  a  link  between  the  initial  part  and  the  repeated 
part  of  the  pseudorepetitive  XER-system. 

Example  4.11:  Continuing  with  the  previous  example,  X\  induces  the  rules 
0  1 — *  (a,  0).  This  rule  is  superseded  by  {( b ,  0) }  1 — ^  (a,  0)  in  X0,  reflecting  the 
transient  behavior  of  the  original  system.  Note  that  even  though  X[  also 
induces  0  h->  (5,  0),  this  rule  in  needed  in  X0  so  that  X0  is  an  XER-system. 
□ 


4.3.1  Approximating  Timing  Simulation 

Though  they  can  be  used  to  model  a  large  class  of  systems,  pseudorepeti¬ 
tive  XER-systems  are  cumbersome  to  work  with.  Fortunately,  Lemma  4.8 
shows  that  to  get  a  good  indication  of  its  timing  simulation,  it  is  sufficient  to 
deal  with  the  repeated  part  of  any  given  pseudorepetitive  XER-system.  To 
establish  the  lemma,  the  following  properties  of  numbers  are  needed. 

Lemma  4.6  For  N  >  0  and  any  number  B,  if 

Vi  :  0  <  i  <  N  :  \xi  —  yi\  <  B , 
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then 


|min{i  :  0  <  i  <  N  :  xf\  —  min{i  :  0  <  i  <  N  :  yf}\  <  B\  (4.12) 
|max{i  :  0  <  i  <  N  :  —  max{i  :  0  <  i  <  N  :  yi}\  <  B.  (4.13) 

Proof:  Let  x3  =  minjTj}  and  yk  =  min{yj}.  If  x3  >  yi c,  then  the  minimality 
of  Xj  implies 


|min{xj}  -  min{yi}|  =  (x3  -  yk)  <  (xk  -  yk)  <  B. 

Alternatively,  if  x3  <  yk.  then  the  minimality  of  yk  implies 

min{rrj}  -  min{yj}|  =  (; yk  -  x3)  <  (y3  -  x3)  <  B. 

Thus,  (4.12)  is  established.  Equation  (4.13)  can  be  verified  by  similar  argu¬ 
ments.  Q.E.D. 

Corollary  4.7  Let  N  >  0  and  Mi  :  0  <  *  <  N  :  Mj  >  0.  Let 

X  =  min{i  :  0  <  i  <  N  :  max{j  :<  j  <  Mt  :  x%3 } } , 

Y  =  min{i  :  0  <  i  <  N  :  max{j  :<  j  <  M,  :  yij}}. 

If  Mi,  j  :  0  <  i  <  N  A  0  <  j  <  Mi  :  xVJ  —  y%3\  <  B ,  then  \X  —  Y\  <  B. 

Proof:  For  any  i,  0  <  i  <  N,  let  Xi  =  max{j  :  0  <  j  <  Mi  :  xVJ}  and 
Yi  —  max{j  :  0  <  j  <  Mi  :  yij}.  By  (4.13)  of  Lemma  4.6,  A,  —  Yf  <  B. 
The  corollary  is  established  by  using  (4.12)  of  Lemma  4.6  for  the  sets  {A,} 
and  {Yi}.  Q.E.D. 

Lemma  4.8  Let  X  =  ( E ,  R,  A)  be  the  XER-system  induced  by  a  pseu- 
dorepetitive  XER-system  X"  =  (Aq,^).  Let  X2  =  (E,2,i?2,A2)  be  the 
XER-system  induced  by  X\.  If  t  and  t2  are,  respectively,  the  timing  sim¬ 
ulations  of  X  and  X2,  then,  there  exists  B  such  that 

Me  :  e  e  E2:  \t(e)  -  t2(e)\  <  B.  (4-14) 
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Proof:  Let  X0  =  (E0,  R0,  A0)  and  X\  =  (E[,  R[,  <51;  6\).  Let  £  =  E2  fl  E0. 
Since  E0  is  finite,  so  is  £.  Also,  for  any  /  6  (E2  \  £),  /  ^  E0.  So,  by  (4.10) 

{C  :  C^f  e  R2  :  C-/}  =  {C  :  C^/ G  (f?2^o)  :  C^/} 

=  {C:C^/eR:C^/}  1  j 

with  the  last  equality  due  to  R  =  R0  U  (f?2  L-B'o)  and  f  ^  E0. 

Next,  if  £  is  empty,  then  let  B  be  0;  else, 

B  =  max{e  :  e  G  £  :  |f(e)  —  t2(e)|}.  (4-16) 


Suppose  that 

Z  =  {e  :  e  €  E2  A  |t(e)  —  f2(e)|  >  B  :  e} 

is  not  empty.  Then,  since  only  XER-systems  with  acyclic  constraint  graphs 
are  considered,  there  exists  an  element  /  in  Z  such  that 

VC  :  C^f  G  R2  :  (Ve  :  e  e  C  :  e  (£  Z).  (4.17) 

Clearly,  by  (4.16),  f  $.  £,  which  implies  /  ^  E0.  So,  if  /  G  init(A2)  then,  by 
(4.15),  /  €  init(A)  and  f(/)  =  f2(/)  =  0.  Alternatively,  since  f  ^  E0l  (4.17) 
and  (4.11)  imply 

VC  :  Cf— >  /  g  i?2  :  (Ve  :  e  €  C  :  ^ 

|(t(e)  +  A(e,  f,r))  -  (i2(e)  +  A(e,/,r))|  <  B. 

By  (4.15),  t(f)  and  t2(/)  are  obtained  by  taking  the  maximum  and  minimum 
over  the  same  sets  of  events  and  rules.  So,  by  Corollary  4.7,  (4.18)  implies 
\t(f)  —  t2(f) |  <  B  which  contradicts  /  €  Z.  Therefore,  Z  is  empty  and  the 
lemma  is  established.  Q.E.D. 


4.4  Scenarios 

Definition:  For  a  repetitive  XER-system  X'  =  ( E',R',8,9 ),  a  scenario  of 
A'  is  a  conjunctive  repetitive  XER-system  X'  =  (E1,  R',  6,  9)  where 

•  R!  C  R'; 
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•  S  is  the  same3  as  8  but  defined  only  over  the  restricted  domain 

V  =  {u,  v,q  :  q  G  R!  A  u  G  src (q)  A  v  =  tar (q)  :  ( u ,  v.  q )}; 

•  8  is  the  same  as  8  but  defined  only  over  V . 

Thus,  a  scenario  corresponds  to  an  XER-system  where  only  one  of  the 
possible  sets  of  causes  of  a  transition  is  included.  If,  in  X',  the  number  of 
sets  of  causes  for  transition  u  is  n(u),  then  X'  has  precisely  Ii^ueE')n(u) 
scenarios. 

Example  4.12:  Consider  the  repetitive  XER-system  X'  =  {E',R',8,9) 
where 


•  E1  =  {a,  b,  c,  d,  e}; 

•  R'  =  {{d}  H-^G  ,  {a}  i — ^  6  ,  {£>,  e}  i — >c,  {c}>— >d,  {a,6}n->e,  {6,d}i— >e}; 

•  8(d,  e,  {6,  d}^e)  =  4,  8(a,  e,  {a,  6}  i — ^  e)  =  2,  and  8(u.  v,  q)  =  1  for  all 
other  (u,  v,  q)  in  the  domain  of  8;  and 

•  6(d,  a,  {d}  h- >g)  =  1,  9(a,  6,  {a}  i— >6)  =  1,  9(d,  e,  {6,  d}^e)  =  1,  and 
9(u,  V-,  q)  =  0  for  all  other  (w,  v,  q)  in  the  domain  of  9. 

Because  of  the  two  possible  sets  of  causes  for  e,  X'  has  two  scenarios:  Xq 
with  template  set  R'0  =  ( R '  \  {{6,  d}  i — >■  e})  and  X[  with  template  set  R\  = 
(R1  \  {{a, d}i— >e}).  The  collapsed-constraint  graphs  of  X',  Xq  and  X{  are 
shown  in  Figure  4.4.  □ 

4.4.1  Strongly  Connected  Scenarios 

A  scenario  is  said  to  be  strongly  connected  if  its  collapsed-constraint  graph 
is  strongly  connected.  Some  of  the  results  in  the  sequel  are  valid  only  for 
XER-systems  with  strongly  connected  scenarios.  The  justification  for  this 
restriction  is  that,  for  our  purpose,  XER-systems  are  used  to  model  delay- 
insensitive  circuits  that  function  properly  even  if  there  are  arbitrary  delays 

3To  reduce  the  cluttering  of  notation,  when  the  domain  of  the  function  is  obvious  or 
irrelevant,  6  and  9  will  be  used,  respectively,  in  place  of  6  and  9. 
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between  the  occurrences  of  transitions.  In  other  words,  the  delay  function 
of  a  repetitive  XER-system  specifies  the  relative  delays  among  the  transi¬ 
tions  only  under  a  given  set  of  circumstances.  In  contrast,  the  causality 
relationships  embodied  in  the  set  of  templates  are  valid  under  all  possible 
delay  functions.  The  rest  of  the  section  shows  how  strongly  connected  sce¬ 
narios  are  necessary  for  delay-insensitive  systems.  The  arguments  hinge  on 
the  observation  that  if,  in  the  collapsed-constraint  graph,  transition  vertex 
w  does  not  lead  to  transition  vertex  v  (i.e.,  there  is  no  path  from  w  to  v), 
then,  under  an  appropriate  set  of  delays,  v  can  occur  an  arbitrary  number 
of  times  before  a  particular  occurrence  of  w  takes  place.  This  observation  is 
formalized  and  proved  in  the  following  lemma. 

Lemma  4.9  Let  X'  =  ( E ',  R',  6,  9)  be  a  conjunctive  repetitive  XER-system 
with  collapsed-constraint  graph  G'  and  maximum  occurrence-index  offset 
9 max-  Let  w  be  an  element  in  E'  such  that  ^  R' .  Let  v  be  a  tran¬ 

sition  such  that  w  does  not  lead  to  v  in  G' .  For  any  event  (v,i),  there 
exists  a  conjunctive  repetitive  XER-system  X[  =  (E1,  R1,  <51;  9)  such  that 
ti(v,i)  <  ti(w,9max),  where  ti  is  the  timing  simulation  of  X\ . 

Proof:  Let  q  €  R',  tar (q)  =  w,  and  y  €  src(q)  .  Let  t  be  the  timing 
simulation  of  X1.  Define  <5i  to  be  the  same  as  6  except  that  6i(y,w,q)  = 
t(v,i).  Recall  that  we  are  dealing  with  conjunctive  systems.  So,  by  (4.8), 

iiOMmax)  >  ii(y,^max  -  9(y,w,q ))  +61(y,w,q)  >  (4.19) 

Next,  let  X  be  the  XER-system  induced  by  X'.  Let  G  be  the  constraint 
graph  of  X.  Let 

U  =  {v,  i  :  (ffk  ::  (w,  k)  does  not  lead  to  (v,  i)  in  G)  :  (v,  i)}. 

Suppose  Z  =  {v,  i  :  {v,i)  G  U  A  t(v,  i)  /  i±(v,  i )  :  (v,  i)}  is  not  empty.  Then, 
since  G  is  acyclic,  there  exists  (v,i)  e  Z  such  that  for  any  ( u,j )  and  r. 

( u,j )  e  src(r)  A  (v,i)  =  tar(r)  (u,j)  Z.  (4.20) 

If  (v,i)  ^  init(A’),  then  t(v,i)  =  ti(v,i)  =  0.  Else,  let  (u,j)  and  r  satisfy 
the  premise  of  (4.20).  If  (u,j)  ^  U,  then  there  exists  k  such  that  (w,  k)  leads 
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to  (u,j)  which  implies  (w,k)  leads  to  (v,i),  contradicting  ( v,i )  G  Z.  Hence, 
(4.20)  is  equivalent  to 

(uj)  G  src(r)  A  (v,i)  =  tar  (r)  =>  t(u,j)  =  t^u,  j).  (4.21) 

Let  r  =  q\i.  Then,  since  v  ^  w  due  to  ( v,i )  G  U,  6(u,v,q )  =  6i(u,v,q).  So, 
by  the  definition  of  timing  simulations,  (4.21)  implies  t(v,i)  =  ti(v,i)  which 
is  a  contradiction.  Hence,  Z  is  empty.  But,  by  Lemma  4.4,  ( v,i )  G  U\  so, 
t(v,  i)  =  ti(v,  i)  and  the  lemma  follows  from  (4.19).  Q.E.D. 

With  this  result,  we  can  now  argue  that  delay-insensitive  circuits  are 
modeled  by  XER-systems  with  strongly  connected  scenarios.  First,  con¬ 
sider  a  conjunctive  repetitive  XER-systems  X' .  Suppose  G',  the  collapsed- 
constraint  graph  of  X',  has  two  strongly  connected  components  H0  and  H1. 
If  a  transition  v  in  H0  is  in  the  cause  set  of  a  transition  w  in  Hi,  then  w  does 
not  lead  to  v  by  the  definition  of  components.  But  then,  by  Lemma  4.9,  there 
exists  a  set  of  delays  such  that  v  occurs  arbitrarily  often  before  ( w ,  ^niax) 
takes  place.  Since  there  is  only  one  cause  set  for  w,  this  situation  implies  in¬ 
stability  in  the  circuit  being  modeled.  Hence,  for  a  stable  system,  transitions 
in  one  strongly  connected  component  do  not  interact  with  those  in  another. 
Consequently,  it  is  sufficient  to  analyze  each  component  independently  and 
the  requirement  that  a  conjunctive  XER-system  be  strongly  connected  is 
justified. 

If  X1  is  not  conjunctive,  then  let  X'  be  one  of  its  scenarios.  For  each 
q  =  C'  h->u  where  q  is  a  template  in  X’  but  not  in  X1,  define  the  delay 
function  of  X'  so  that  the  delay  between  any  transition  in  C'  and  v  is  very 
large.  In  the  timing  simulation  of  X\  each  event  occurs  as  soon  as  the 
timing  constraints  imposed  by  one  of  its  cause  sets  have  been  fulfilled.  Thus, 
under  the  new  delay  function,  this  cause  set  is  always  induced  from  X'  and, 
therefore,  the  timing  simulations  of  X'  and  X'  are  identical.  To  avoid  the 
instabilities  previously  mentioned  for  conjunctive  XER-systems,  X'  needs  to 
be  strongly  connected.  Since  the  choice  of  X'  is  arbitrary,  if  an  XER-system 
models  a  QDI  circuit,  then  all  of  its  scenarios  are  strongly  connected. 
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4.5  Linear  Timing  Function 


Definition:  A  timing  function  t  of  a  repetitive  XER-system  X'  is  said  to  be 
linear  if  it  has  the  following  form: 

t(u,i)  =  h(u)  +  p  i  (4.22) 

where  h  is  a  function  of  u  and  p  does  not  depend  on  u  or  i.  The  period  of 
the  timing  function  is  p. 

Note  that  this  definition  differs  slightly  from  the  one  given  in  [6]  where  a 
linear  timing  function  has  the  form: 

t(u,  i)  =  h(u)  +  pu  i.  (4-23) 

Burns  then  shows  that  if  u  and  v  belong  to  the  same  strongly  connected 
component  of  the  corresponding  collapsed-constraint  graph  G",  then  pu  and 
pv  are  identical.  He  then  restricts  his  attention  only  to  strongly  connected 
systems.  Since  this  restriction  has  already  been  made  in  this  paper,  it  is 
more  convenient  to  use  (4.22)  as  the  definition  of  linear  timing  function. 

4.5.1  Linear  Offset  Functions 

As  Lemma  4.10  below  shows,  the  timing  constraints  of  (4.1)  can  be  equiv¬ 
alently  expressed  in  terms  of  the  function  h  as  given  in  (4.22).  In  fact,  the 
latter  expression  is  more  convenient  to  work  with  since  it  is  independent  of 
i.  Thus,  the  following  definition  is  made. 

Definition:  Let  X1  be  a  repetitive  XER-system  with  transition  set  E’ .  Given 
a  number  p,  a  linear  offset  function  of  X'  with  period  p  is  any  function 
h  :  E'— >[0,  oo)  such  that  t  defined  by  (4.22)  is  a  linear  timing  function  of  X' . 
The  size  of  h  is  \h\  =  h(u). 

Lemma  4.10  Let  X'  =  ( E ',  R',  6,  6)  be  a  repetitive  XER-system.  Let  p  be 
any  positive  number  and  h  be  any  function  mapping  elements  of  E'  to  [0,  oo). 
Then,  h  is  a  linear  offset  function  of  X'  with  period  p  if  and  only  if 

\/v  :  v  G  E'  :  (  3q  :  q  G  R'  A  tar(g)  =  v  :  ,  _  . 

(Vu  :  u  G  src(g)  :  h(v)  >  h(u )  —  pQ{u ,  v,  q )  +  8(u,  v,  q))  ).  ^  1 
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Proof:  Let  X  =  ( E ,  R,  A)  be  the  XER-system  induced  by  X' .  Let  t  be 
defined  by  (4.22).  Then,  by  the  construction  of  R,  t  is  a  linear  timing  function 
if  and  only  if 

V{v,i)  :  (v,  i)  £  E  :  (  3q\i  :  q\i  £  R  A  tar(q[i)  =  (v,i)  : 

(V{u,  i  —  9(u,  v,  q))  :  (u,i  —  9(u,  v,  q))  £  src (q  |~i)  :  (4-25) 

>  t(u,i  -  9(u,v,q))  +  -  9(u,v,q)),  (v,i),q\i))). 

Now,  (u,  i  —  9(u,v,q ))  £  src(g[h)  src  (q).  Hence,  by  the  definition  of 

A,  if  (4.24)  holds,  then  (4.25)  holds  and  h  is  a  linear  offset  function.  Con¬ 
versely,  if  h  is  a  linear  offset  function,  then  (4.25)  holds.  In  particular,  if 
i  =  ^niax,  then  (4.25)  implies  (4.24)  by  (4.8).  Hence,  the  lemma  is  estab¬ 
lished.  Q.E.D. 

4.6  Minimum-Period  Linear  Timing  Func¬ 
tions 

Definition:  A  minimum-period  linear  timing  function  (MPLTF)  of  a  repet¬ 
itive  XER-system  X'  is  a  linear  timing  function  t  of  X'  whose  period  is 
minimum  —  i.e.,  X'  has  no  linear  timing  function  with  smaller  period.  The 
minimum  period  of  X',  denoted  period^'),  is  the  period  of  its  MPLTF. 

The  following  lemma  is  a  rephrasing  of  one  of  the  main  results  of  [6]. 

Lemma  4.11  If  X'  is  a  conjunctive  repetitive  XER-system  whose  collapsed- 
constraint  graph  G'  is  strongly  connected,  then  a  MPLTF  of  X'  exists  and 

period(A’,y)  is 

c(  /\ 

p  =  max{p'  :  p1  is  a  cycle  in  G'  :  —  — }.  (4-26) 

Proof:  Convert  X'  into  the  equivalent  repetitive  ER-system  y'  =  ( E ',  R'y) 
as  shown  in  Lemma  4.3.  Then,  see  Section  2.4  of  [6]  for  the  rest  of  the  proof. 
Below,  a  brief  outline  of  that  proof  is  given  to  illustrate  the  approach  used 
and  to  present  some  intermediate  results  which  will  be  needed  in  the  sequel. 
First,  note  that,  by  construction,  (4.10)  is  equivalent  to 

Vn  :  v  £  E'  :  (Vw,  a ,  £  :  ( u ,  v,  a ,  e)  £  R'y  :  h{v)  >  h{u)  —  pe  +  a).  (4.27) 
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Next,  in  y1,  order  the  elements  of  E'  as  {ui,  u2,  ■  ■  . ,  un}  and  those  of  Ry 
as  {ri,  r2, . . . ,  rm}.  Let  template  rj  be  ( Uk,ui,aj,£j ),  with  Uk  and  ui  be¬ 
ing,  respectively,  the  source  and  target  of  rj.  Let  £  be  the  transpose  of 
(ei,  £2,  ■  ■  . ,  £m)  and  a  be  the  transpose  of  (aq,  a2,  ■  ■  . ,  am )•  Construct  A',  the 
arc-node  incidence  matrix  of  y',  by 


r  -1 


1 

0 


if  Uk  is  the  source  of  rj 
if  Uk  is  the  target  of  rj 
otherwise. 


Let  x  represents  the  vector  ( h{u\ ),  h(u2), . . . ,  h{un)).  Then,  the  constraints 
expressed  in  (4.27)  are  equivalent  to  (4.29)  below  and,  therefore,  finding  the 
MPLTF  for  y'  is  equivalent  to  solving 


2: 

— 

min  p 

X 

> 

a 

p  _ 

X,p 

> 

0. 

(4.28) 

(4.29) 

(4.30) 


The  fact  that  this  solution  exists  and  is  related  to  the  cycles  by  (4.26)  is 
given  in  [6].  Q.E.D. 

Note  that  p  in  (4.26)  is  well-defined  because  of  the  following  reasons.  Let 
itbea  transition  in  a  cycle  p' .  Then,  by  Lemma  4.5,  for  all  i  sufficiently  large, 
there  is  a  path  from  (u,i  —  0{p'))  to  (u,  i)  in  G,  the  constraint  graph  of  the 
XER-system  induced  by  X’ .  If  9{p')  =  0,  then  G  is  cyclic.  If  9(p')  <  0,  then 
G  has  a  vertex  with  an  ancestor  at  an  infinite  distance  (See  Example  4.4). 
Since  both  these  cases  have  been  excluded,  9{p')  is  positive  and  (4.26)  is 
consistent. 

Example  4.13:  Consider  Xq  of  Example  4.12.  As  shown  in  Figure  4.4b, 
there  are  the  following  three  simple  cycles  in  the  collapsed-constraint  graph 
of  Xq. 


•  p0  =  (a,  {a,  6}  e,  e,  {6,  e}  i— >  c,  c,  {c}  >— >  d,  d,  {d}  i— >  a,  a) , 

•  pi  =  (a,  {a}  h->  b,  b,  {b,  e}  h->  c,  c,  {c}  d,  d,  {d}  h->  a,  a) ,  and 

•  Pi  —  (a,  {a}i—^6,  6,  {a,  6}h- >e,  e,  {6,  e}t->c,  c,  {cjn-^d,  d,  {d}H-^a,  a). 
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Since 


<5(Po)  _  5  _  c  ^(Pl) 

0(po)  1  ’  0(pi) 


|  =  2,  and 


6(P2) 

0{P2) 


periodic)  =  5.  Indeed,  t  defined  by 

t(a,i)  =  5i,  t(b,i)  =  5i,  t(c,  i)  =  3  +  5i, 
i(d.  i)  =  4  +  5i,  t (e,  i)  =  2  +  5i, 


is  a  MPLTF  of  Ag.  Similar  analysis  shows  that  the  minimum  period  of  X[ 
in  Example  4.12  is  6.  □ 

To  facilitate  the  generalization  of  Lemma  4.11  to  non-conjunctive  systems, 
the  following  definition  is  made. 

Definition:  A  minimum-period  linear  offset  function  (MPLOF)  of  X'  is  a 
linear  offset  function  h  of  X'  with  period  p  such  that  t  defined  by 


t(u,  i )  =  h{u )  +  pi 


(4.32) 


is  a  MPLTF  of  X' . 

By  the  relationship  dictated  by  (4.32),  the  MPLOF  of  X'  is  the  linear 
offset  function  whose  period  is  minimum. 

Theorem  4.1  Let  X'  be  a  repetitive  XER-system  whose  scenarios  are 
strongly  connected.  Then,  a  MPLTF  of  X1  exists  and  periodfA'J  is 

p  =  minjA'  :  X'  is  a  scenario  of  X'  :  periodfA'J}.  (4.33) 

Proof:  Let  the  scenarios  of  A'  be  Xq,  X[,  . . .,  X'M.  For  any  positive  number 
p ,  let  TpiXf,)  denote  the  set  of  linear  offset  functions  for  X'm  with  period  p 
and  likewise  for  Tp(X').  If  h  €  Tp(X'm),  then,  by  Lemma  4.10,  for  any  v, 
there  exists  a  unique  template  qv  in  X'm  such  that 

Mu  :  u  G  src(^)  :  h(v)  >  h{u)  —  p0(u ,  v,  qv)  +  8{u ,  v,  qv ).  (4-34) 

But  qv  is  also  a  template  in  X'\  so,  h  G  Tp(X').  Conversely,  if  h  is  in  Tp(X'), 
then  for  any  v,  there  exists  a  template  qv  in  X'  such  that  (4.34)  holds.  Let 
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Xln  be  the  scenario  whose  set  of  templates  is  precisely  {v  :  v  G  E'  :  qv}. 
Then,  h  €  Tp(Xlrri).  So,  for  any  positive  p, 

M 

Tp(X')  =  |J  Tp(X'm).  (4.35) 

m= 0 

By  the  definition  of  MPLOF,  p  is  the  smallest  p  such  that  the  RHS  of 
(4.35)  is  non-empty.  Hence,  it  is  also  the  smallest  p  such  that  the  LHS  is 
non-empty.  So,  by  the  remarks  after  the  definition  of  MPLOF,  p  is  the  period 
of  a  MPLOF  of  X'  and  the  theorem  is  established.  Q.E.D. 

Example  4.14:  By  the  analysis  done  in  Example  4.13,  the  minimum  period 
of  X'  of  Example  4.12  is  5.  In  fact,  (4.31)  is  a  MPLTF  of  X' .  □ 


4.6.1  Critical  Scenarios,  Cycles,  and  Transitions 

Theorem  4.1  states  that  the  minimum  period  of  a  repetitive  XER-system  is 
determined  by  a  particular  cycle  in  the  collapsed-constraint  graph  of  a  par¬ 
ticular  scenario.  For  future  reference,  we  introduce  the  following  definition. 

Definition:  A  scenario  X'  of  a  repetitive  XER-system  X'  is  critical  if 
period(A')  =  period(A').  A  critical  cycle  in  a  scenario  X'  is  a  cycle  p' 
in  the  collapsed-constraint  graph  of  X'  such  that 


m 

m 


period(A'). 


A  critical  cycle  in  a  repetitive  XER-system  X'  is  any  critical  cycle  in  any 
critical  scenario  of  X' .  Also,  the  set  of  critical  transitions  of  X'  is 


C(A')d=>,//: 

p'  is  a  critical  cycle  of  A'  A  re  is  a  transition  vertex  in  p'  :  w}. 


(4.36) 


Example  4.15:  For  X'  of  Example  4.12,  Xq  is  a  critical  scenario.  A  critical 
cycle  of  Xq  is 


(a,  {a,  6} i — ^  e,  e,  {6,  e}  i — > c,  c,  {c}  t->d,  d.  {d}  n->a,  a), 
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and  a  critical  cycle  of  X[  is 

(e,  {6,  e} i — > c,  c,  {c}hh><7,  d.  {6,  d}t— >e,  e). 

The  former  is  also  a  critical  cycle  of  X' .  Furthermore,  C{Xq)  =  {a,c,d,e} 
and  C(X[)  =  {c,  d,  e}.  □ 

Let  p’  =  (u0,  q0,  ui,qi,. . . ,  ui- 1,  qi-i,Uo)  be  a  critical  cycle  of  a  scenario 
X'm .  Note  that  p!  may  not  be  a  cycle  in  the  collapsed-constraint  graph  of 
another  scenario  X' ,  if  one  of  the  q/s  belongs  to  the  scenario  X’m  but  not 
to  X' .  In  determining  the  minimum  period  of  an  XER-system,  the  following 
lemma  shows  that  once  the  critical  cycles  of  a  scenario  have  been  found,  it 
is  only  necessary  to  analyze  other  scenarios  for  which  none  of  these  critical 
cycles  are  present.  By  repeatedly  applying  this  observation,  the  amount  of 
computation  required  may  be  greatly  reduced. 

Lemma  4.12  Let  X'm  be  any  scenario  of  a  repetitive  XER-system  X' .  Let 
7 Zm  be  the  set  of  critical  cycles  of  X'm.  Then,  per\od(X' )  =  period 
unless  there  exists  a  critical  scenario  X' ,  such  that  none  of  the  elements  in 
7 Zm  is  a  cycle  in  G' ,  the  collapsed-constraint  graph  of  X' . 

Proof:  If  any  element  of  7 Zm  is  a  cycle  in  G1,  then,  by  Lemma  4.11, 

period^')  >  period^™).  Q.E.D. 


4.7  MPLTF’s  and  Timing  Simulations 

Throughout  this  section,  except  in  the  examples  or  when  stated  other¬ 
wise,  X'  =  (E1,  R ',  6,  8)  is  a  repetitive  XER-system  with  period  p  and 
X'  =  (E',  R',  8,  8)  is  any  of  its  critical  scenarios.  The  purpose  of  this  section 
is  to  prove  that  a  MPLTF  of  X'  is  a  “good”  approximation  to  its  timing 
simulation.  The  following  example  illustrates  some  of  the  issues  involved. 

Example  4.16:  A  linear  timing  function  t  (as  defined  in  (4.31))  and  the 
timing  simulation  t  of  the  repetitive  XER-system  X'  in  Example  4.12  are 
shown  in  Figure  4.5. 

Note  that  the  difference  between  t(b,i)  and  t(b,i)  starts  at  0,  then  in¬ 
creases  to  4,  and  then  remains  at  5,  which  is  period(A’/),  for  all  i  >  2.  Thus, 
for  large  i,  t(b ,  i  +  1)  —  t(6,  i)  =  f(6,  i  +  1)  —  f(6,  i)  =  period(A’/).  Hence, 
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t(a,  0)  =  0, 
i(b,0)  =  0, 

i(e,  0)  =  2, 

t(c,  0)  =  3, 
t(d,  0)  =  4, 
t(a,  1)  =  5, 
t(b,  1)  =  5, 
i(e,  1)  =  7, 

t(c,  1)  =  8, 
t(d,  1)  =  9, 
t(a,  2)  =  10, 
7(6,  2)  =  10, 
*(e,  2)  =  12, 

t(c,  2)  =  13, 
t(d,  2)  =  14, 
t(a,  3)  =  15, 
t(b,  3)  =  15, 


£(a,  0)  =  0, 

7(6,0)  =  °, 

t{e.  0)  =  min{max{£(6,  0)  +  1}, 

max{f(a,  0)  +  2, 7(6,  0)  +  1}}  =  1, 
t(c.  0)  =  max{t(5,  0)  +  1 , 7(e,  0)  +  1}  =  2, 
t(d,  0)  =  t{c.  0)  +  1  =  3, 
t(a,  1)  =  t(d,  0)  +  1  =  4, 

7(6, 1)  =  t(a,  0)  +  1  =  1, 

i(e,  1)  =  min{max{((6, 1)  +  1  ,t(d,  0)  +  4}, 

max{£(a,  1)  +  2, 7(6, 1)  +  1}}  =  6, 
t(c,  1)  =  ma  x{f(&, 1)  +  1, 7(e,  1)  +  1}  =  7, 

7(rf,  1)  =  t(c,  1)  +  1  =  8, 
t(a,  2)  =  t(d,  1)  +  1  =  9, 

7(6,  2)  =  t(a,  1)  +  1  =  5, 

t(e.  2)  =  min{max{t(6,  2)  +  1  ,t(d,  1)  +  4}, 

max{i(a,  2)  +  2,  £(6,  2)  +  1}}  =  11, 
t(c,  2)  =  max{t(&,  2)  +  1 , 7(e,  2)  +  1}  =  12, 
t(d.  2)  =  t(c.  2)  +  1  =  13, 

£(a,  3)  =  t(d1  3)  +  1  =  14, 
t(b,  3)  =  t(a,  1)  +  1  =  10, 


Figure  4.5:  Timing  functions  for  Example  4.16 

at  least  in  this  example,  period^')  serves  as  an  indicator  of  the  periodic 
performance  of  X' . 

Also,  observe  that  q0  =  {6,  d}^e  is  the  template  such  that 

£(e,0)  =  max{(u,  j)  :  (u,j)  e  qo\0  :  t(u,  j)  +  A((u,  j),  <e,  i),  q0  f0)}  (4.37) 

whereas  qi  =  {a,  6}  i — ^  e  is  the  template  for  which 

=  max{(u,j)  :  (u,j)  G  q^i  :  t(u,j)  +  A((u,j),(e,i),q1\i)}  (4.38) 

holds  for  all  i  >  0.  Thus,  in  this  example,  except  for  some  initial  occurrences, 
the  timing  simulation  of  X'  is  dictated  by  the  constraints  of  a  single  scenario. 
□ 
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Our  approach  is  to  prove  the  existence  of  a  critical  scenario  X '  —  like  the 
one  containing  template  q\  in  the  previous  example  - —  such  that,  eventually, 
the  behavior  of  X1  is  “close”  to  that  of  X' . 

4.7.1  The  “Smallest”  MPLOF  of  a  Critical  Scenario 

As  an  intermediate  step  in  proving  that  a  MPLTF  is  a  good  approximation  of 
the  timing  simulation,  we  will  show  that  there  exists  a  MPLOF  h  of  X'  such 
that,  for  any  transition  v  and  the  unique  template  qv  in  X'  with  tar(g„)  =  v, 

h{v )  =  max{u  :  u  G  src(qv)  :  h(u )  —  p6(u,  v,  qv )  +  6(u,  v,  qv)}.  (4.39) 

The  example  below  illustrates  that  it  is  not  trivial  to  prove  that  such  a 
MPLOF  exists. 

Example  4.17:  Consider  again  Xq  of  Example  4.13.  For  any  u  in  src(qv), 
define  the  slack  of  the  pair  (u,  v)  as 

s(u,  v )  =  h(v)  -  ( h(u )  -  p9(u,  v ,  qv)  +  S(u,  v,  qv)). 

Figure  4.6a  depicts  a  MPLOF  h  that  results  from  minimizing  the  sum  of  all 
slacks  in  Xq.  Each  transition  vertex  u  is  labeled  with  h{u)  and  the  edges  in 
(u,  qv ,  v)  is  shown  in  bold  if  u  G  src(qv)  A  s(u.  v )  =  0.  Note  that  (4.39)  is  not 
satished  for  v  =  b  ( b  is  the  leftmost  transition  vertex). 

Alternatively,  if  we  find  the  smallest  MPLOF  h  satisfying  h(b)  =  5,  then 
the  MPLOF  depicts  in  Figure  4.6b  results;  if  we  find  the  smallest  MPLOF  h 
satisfying  h(a)  =  0,  then  the  MPLOF  depicts  in  Figure  4.6c  results.  In  both 
cases,  (4.39)  is  violated  by  v  =  b. 

Note,  however,  that  if  we  find  the  smallest  MPLOF  h  that  satisfies  h(a)  = 
5,  then,  as  shown  in  Figure  4.6d,  (4.39)  is  satished  for  all  v.  □ 

In  Lemma  4.17,  the  existence  of  a  MPLOF  h  of  X'  satisfying  (4.39)  will 
be  demonstrated4.  However,  some  results  need  to  be  established  beforehand. 

Lemma  4.13  Let  G'  be  the  collapsed- constraint  graph  of  X' .  Let  h  be  a 
MPLOF  of  X'.  If 

p'  =  {uo,  q2,  Mi,  qi,  ■  ■  ■ ,  Mj-i,  gj-i,  ui) 

4There  are  simpler  methods  to  prove  that  such  a  MPLOF  exists  (e.g.  Lemma  4.18); 
however,  the  MPLOF  guaranteed  by  Lemma  4.17  satisfies  several  properties  which  are 
needed  in  the  subsequent  arguments. 
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is  a  path  in  G'  where  u0  and  ui  are  transition  vertices,  then 

h(ui )  >  h(u0)  -  pd(p')  +  S(p').  (4.40) 

Proof:  Since  G'  is  bipartite,  each  u3  a  transition  vertex  and  each  q3  a  tem¬ 
plate  vertex.  Note  that  since  X'  is  conjunctive,  q3  is  the  only  template  with 
target  u3+i.  So,  Lemma  4.10  implies  that  for  all  h  0  <j<l, 

h(uj+ 1)  >  h(uj)  -  p6(uj ,  uj+ 1,  q3)  +  S(u3,  uj+1,  q3). 

Summing  along  the  conjunctive  edges  along  the  path  p'  and  recalling  that 
the  weight  and  the  occurrence-index  offset  of  the  disjunctive  edge  {q3,u3+i) 
are  zeros  establish  (4.40).  Q.E.D. 

Lemma  4.14  For  any  MPLOF  h  of  X' ,  there  exists  a  constant  B,  indepen¬ 
dent  of  h,  such  that 

Mu,  v  :  (u  e  E ')  A  (v  €  E ')  :  h(u )  —  h(v)  <  (B  —  1).  (4-41) 

Proof:  For  now,  assume  X'  is  conjunctive  and  let  G'  be  its  collapsed- 
constraint  graph.  Let  w  be  a  fixed  transition  vertex.  Since  only  strongly 
connected  graphs  are  considered,  for  every  v  in  E' ,  there  exists  in  G'  a  path 
p'w  from  w  to  v.  So,  by  Lemma  4.13,  h(w)  —  h(v)  is  bounded  above  by  a 
value  that  depends  only  on  p  and  the  sums  of  weights  and  occurrence-index 
offsets  along  a  fixed  path  p'w  v.  By  setting  Bw  to  the  maximum  of  these 
bounds  over  all  v ,  and  B  to  the  maximum  of  the  Bw’ s  over  all  transitions  w, 
the  lemma  is  established  if  X'  is  conjunctive. 

If  X'  is  not  conjunctive,  then,  by  the  arguments  above,  for  each  critical 
scenario  X'm  of  X' ,  there  exists  Bm  such  that  (4.41)  with  Bm  in  place  of  B 
holds.  Since,  by  (4.35),  h  is  a  MPLOF  of  X'  implies  h  is  a  MPLOF  of  a 
critical  scenario  of  X' ,  setting  B  to  the  maximum  of  the  Bm: s  establishes  the 
lemma.  Q.E.D. 

Lemma  4.15  In  a  scenario  X'  with  period  p,  let 

p'  =  (uq,  q0 ,  Mi,  qi, .  .  . ,  Mi-i,  qi-i,ut)  (4.42) 

be  a  critical  cycle  with  ui  =  u0.  Then,  for  any  MPLOF  h  of  X'  and  any  j 
such  that  0  <  j  <  l, 

h(uj+i)  =  h(uj )  -  p6{uj ,  uj+1,  q3)  +  S(u3,  uj+1,  q3).  (4.43) 
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Proof:  Let  a'  be  the  subpath  of  p'  from  u\  to  ui  =  u0.  By  Lemma  4.13, 

h(u0)  >  h(ui)  —  pO(a')  +  b{a').  (4.44) 

By  definition,  0  =  pd(p')  —  6(p').  So,  adding  this  identity  to  (4.44)  yields 

h(u0)  >  h(u i)  +p(0(p')  -  6(a'))  -  (6(pf)  -  S(a')).  (4.45) 

But  (u0,qo,Ui)  is  the  only  difference  between  p1  and  a1]  so, 

h(u0)  >  h(u i)  +  p9(u0,  ui,  q0)  -  6(u0,  Ui,  q0).  (4.46) 

Now,  since  X'  is  conjunctive,  q0  is  the  only  template  whose  target  is  u\. 
Therefore,  since  u0  G  src(q0),  by  Lemma  4.10,  (4.46)  is  an  equality.  Hence, 
(4.43)  holds  for  j  =  0.  Since  the  critical  cycle  can  starts  with  any  u3.  the 
lemma  is  established.  Q.E.D. 


Lemma  4.16  Let  v  be  a  transition  of  X' .  Let  h*  be  a  MPLOF  of  X'  and  v 
a  positive  number  such  that  h*(v)  >  v.  If 


3q  :  q  G  R'  A  tar(^)  =  v  : 

(\/u  :  u  G  src(g)  :  v  >  h*(u)  —  pQ(u,  v,  q)  +  6(u,  v,  q)), 


then  h'  defined  by 


h'{u) 


is  a  MPLOF  of  X' . 


h*(u)  if  u  ^  v 
v  if  u  =  v. 


(4.47) 


(4.48) 


Proof:  Let  v  be  a  transition  other  than  v.  For  any  u  and  q  such  that 
u  G  src (q)  and  v  =  tar(g), 

h*(v)  >  h*(u)  —  p9(u ,  v,  q)  +  6(u,  v,  q)  (4.49) 


implies 

h'{y)  >  h'{u )  —  p8(u,  v,  q)  +  6(u,  v,  q)  (4.50) 

since  the  LHS  of  (4.49)  equal  the  LHS  of  (4.50)  and  the  RHS  of  (4.49)  is 
not  less  than  the  RHS  of  (4.50).  This  observation  and  (4.47)  establish  the 
fact  that  (4.24)  holds  if  h  is  replaced  by  hi .  Hence,  by  Lemma  4.10,  h'  is  a 
MPLOF  of  X'.  Q.E.D. 

We  are  now  ready  to  prove  the  main  result  of  this  sub-section. 
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Lemma  4.17  Let  C(X')  be  as  defined  by  (4-36).  Let  B  satisfy  (4-4 !)■  Let 
h{C{X'))  >  B  denote  the  predicate 

Mw  :  w  G  C(X')  :  h(w )  >  B.  (4-51) 

Then,  there  exists  a  MPLOF  h*  of  X'  such  that 

h*(C(X'))  >  B,  and  (4.52) 

\h*\  =  min{h :  h  is  a  MPLOF  of  X'  and  h(C(X'))  >  B  :  \h\}.  (4.53) 

Furthermore,  for  any  transition  v,  let  denote  the  unique  template  in  X' 
with  target  v.  Then,  for  all  v, 


h*(v)  =  max{ii  :  u  e  src(^)  :  h*(u)  —  p9{u ,  v,  q%)  +  S(u,  v,  q,[, ) } .  (4.54) 


Proof:  Convert  X'  into  the  equivalent  repetitive  ER-system  y'  =  (. E R'y ) 
as  shown  in  Lemma  4.3.  Let  \E'\  =  n  and  |f?^|  =  m.  For  y dehne  the  arc- 
node  incidence  matrix  A' ,  the  vector  x,  and  the  column-vectors  £  and  a  as 
done  in  the  proof  of  Lemma  4.11.  Let  f3  be  the  n-dimensional  column- vector 
defined  by 


fik  ~ 


B  iiuke  C(X') 
0  if  uk  C(X'). 


Let  cT  =  (1, 1, . . . ,  1).  Then,  since  period^')  =  p  is  given,  Ending  h *  that 
satisfies  (4.52)  and  (4.53)  is  equivalent  to  solving 


z  =  min  cTx  (4.55) 

A'x  >  a  —  pe  (4.56) 

x  >  0.  (4.57) 


Now,  period(A’/)  =  p ;  so,  there  exists  MPLOF  h  of  X1.  Let  w  be  a 
transition  in  C(X')  such  that  h{w)  is  the  minimum  in  the  set  {w  :  w  G  C(X')  : 
h(w)j.  Let  h*  =  h—  h(w )  +B.  If  h*(v)  <  0,  then  h(v )  —  h(w )  +  B  <  0  which 
contradicts  Lemma  4.14.  Thus,  h*\E'—+[ 0,oo).  Also,  in  Lemma  4.10,  for 
any  u  and  v,  adding  the  same  amount  to  both  sides  of  (4.24)  maintains  the 
inequality;  consequently,  h *  is  a  MPLOF  of  X' .  Moreover,  for  any  w  €  C(X'), 


h*(w)  =  h{w )  —  h(w)  +  B  >  B 
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by  the  minimality  of  h(w).  Hence,  a  feasible  solution  exists  for  the  linear 
program  above.  Furthermore,  since  cTx  is  non-negative,  by  the  Duality 
Theorem  [14],  an  optimal  solution  exists.  Therefore,  there  exists  a  MPLOF 
h*  such  that  (4.52)  and  (4.53)  are  satisfied. 

Next,  by  Lemma  4.10,  h *  is  a  MPLOF  implies 


h*(v)  >  max{?i  :  u  G  src(^)  :  h*(u )  —  pd(u.  v.  qit )  +  S(u,  v.  qa)}.  (4.58) 


Consider  the  following  two  cases: 


Case  1:  (v  G  C(X'))  Let  u  be  the  transition  immediately  preceding  v 
in  a  critical  cycle  p1.  Then,  u  G  src(^)  and,  consequently,  by  Lemma  4.15, 
(4.58)  is  an  equality. 


Case  2:  (v  ^  C(X'))  Let  p  be  the  value  of  the  RHS  of  (4.58).  Assume, 
toward  a  contradiction  that  h*(v)  >  p.  Let  v  =  max{h*(h)  —  1,  p)  and 
define  h'  as 


h'(u) 


h*(u)  if  u  ^  v 
v  if  u  =  v. 


(4.59) 


Let  w  be  any  transition  in  C(X')\  then,  h*(w)  —  B  >  0  by  (4.52).  So,  for  any 
v,  since  B  —  1  >  h*(w)  —  h*(v)  by  Lemma  4.14, 


h'(v)  =  v  >  h*(v)  —  1  >  (. h*(w )  —  B  +  1)  —  1  >  0. 


Also,  by  (4.58)  and  v  >  p,  (4.47)  is  satisfied.  Thus,  applying  Lemma  4.16 
implies  that  h'  is  MPLOF  such  that  (4.52)  is  satisfied.  But,  \h'\  <  \h*\  which 
contradicts  the  definition  of  h*.  Q.E.D. 

Before  ending  this  sub-section,  it  should  be  pointed  out  that  though  defin¬ 
ing  h *  as  the  MPLOF  with  the  smallest  size  that  satisfies  (4.52)  leads  to  the 
proof  of  its  existence,  it  is  necessary,  in  Lemma  4.21,  to  use  the  fact  that  h* 
is  also  the  MPLOF  with  the  smallest  “norm”  as  defined  below. 

Definition:  Let  R'  be  the  set  of  templates  for  X' .  For  a  MPLOF  h  of  X', 
the  norm  of  h  in  X',  denoted  [h,  A'],  is  defined  to  be 

\h  |  +  F  max{a  :  u  G  src(g)  :  h(u )  —  p6(u,  tar(g),  q)  +  6(u,  tar(g),  q)}. 
qeR' 


As  a  mean  to  showing  that  h*  has  the  smallest  norm,  the  following  defi¬ 
nition  is  introduced. 
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Definition:  For  a  scenario  X' ,  a  MPLOF  h  saturates  a  transition  v  if  either 
v  E  C(X')  or 


3u,  q  :  u  E  src (q)  Av  =  tar(g)  : 

h(v)  =  h(u )  —  p6(u,  v,  q)  +  S(u,  v,  q)  A  h  saturates  u. 


(4.60) 


Lemma  4.18  If  h  is  a  MPLOF  of  X1  with  h(C(X'))  >  B,  then  there  exists 
a  MPLOF  h"  such  that  h"{C{X'))  >  B,  h"  saturates  every  transition  in  X' , 
and  I h",X'j  <  [h,X% 


Proof:  Let  S  be  the  set  of  transitions  saturated  by  h.  Let  T  be  the  set  of 
transitions  not  saturated  by  h.  Let  qv  denote  the  unique  template  such  that 
tar (qv)  =  v.  Then,  since  h  is  a  MPLOF,  by  Lemma  4.10,  for  any  v  and 
u  E  src (qv), 

h(v)  >  h(u )  -  p9(u,  v ,  qv)  +  5(u,  v,  qv).  (4-61) 

Let  Q  be  defined  as  {u.  v  :  u  E  src  (qv)  Au  E  S  Av  E  T  :  (u,  v)}.  By  the  fact 
that  X'  is  strongly  connected,  Q  is  empty  only  if  T  is  empty;  in  which  case, 
the  lemma  obviously  holds.  So,  assume  Q  is  not  empty  and  define 

s  =  min({l}U 

{u,v:  (u,v)  E  Q  :  h(v)  -  (h(u)  -pd(u,v,qv)  +  6(u,v,qv))}-  v 


Note  that  s  >  0  by  (4.61).  So,  define  hi  by 


h'(v) 


h(v)  if  v  E  S 
h(v)  —  s  if  v  eT. 


(4.63) 


Since  C(X')  C  S,  h'(C(X'))  >  B.  Also,  by  Lemma  4.14,  s  <  1  implies 
h(v)  —  s  >  0. 

Next,  let  v  be  an  arbitrary  transition  and  u  be  in  src (qv).  If  u  E  T,  then 
(4.61)  implies 

h'(v)  >  h'(u )  -  p9(u,  v ,  qv)  +  6(u,  v.  qv)  (4.64) 

since  s  is  subtracted  from  the  RHS  of  (4.61)  and  at  most  s  is  subtracted  from 
its  LHS.  If  u  E  S  and  v  E  T ,  then 


h'(v)  =  h(v)  —  s  >  h(v)  —  (h(v)  —  ( h(u )  —  p9(u,  v,  qv)  +  6(u,  v,  qv ))) 
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by  the  minimality  of  s  and,  so,  once  again  (4.64)  holds.  Finally,  if  u  G  S 
and  *  G  5,  then  (4.61)  implies  (4.64)  since  the  values  on  each  side  of  the  two 
equations  are  the  same.  So,  h'  is  a  MPLOF  of  X'.  Moreover,  since  h!  is  the 
same  as  h  for  transitions  saturated  by  h,  these  transitions  are  also  saturated 
by  ti. 

Next,  assume,  for  now,  that  there  exist  (u,  v)  G  Q  such  that 

s  =  h(v )  -  (h(u)  -  p9(u,  v.  qru)  +  <5(h,  v,  q ^)).  (4.65) 

Then,  since  v  G  T,  s  >  0.  Also,  (4.65)  and  (4.63)  imply 

h'(v )  =  h(v)  -  s  =  h'(u)  -  p9(u,  v,  q~)  +  6(u,  v,  q~). 

Hence,  v  is  saturated  by  h' .  So,  h'{C{X'))  >  h'  saturates  more  transitions 
than  h,  and  <  [h,  X'\  by  (4.63).  Alternatively,  suppose  that  there 

exists  no  (u,v)  that  satisfies  (4.65).  Then,  by  (4.62),  s  =  1,  and,  since  T  is 
not  empty,  (4.63)  implies  \h'\  <  \h\  —  1  and  [h',  X'j  <  [h,  X'\. 

So,  regardless  of  whether  (u,v)  for  (4.65)  exists,  the  sum  of  h'  and 
the  number  of  transitions  not  saturated  by  h'  is  at  least  one  less  than  the 
corresponding  sum  for  h.  Since  this  sum  is  bounded  below  by  zero,  repeatedly 
applying  this  result  yields  h"  which  saturates  all  transitions  and  the  lemma 
is  therefore  established.  Q.E.D. 

Lemma  4.19  The  MPLOF  h*  defined  by  (4-52)  and  (4-53)  also  satisfies 

{h*,  X'j  =  min {h :  _  _  (  . 

h  is  a  MPLOF  of  X'  A  h(C(X'))  >B  :  [h,  X'j}.  {  1 

Proof:  By  Lemma  4.18,  it  suffices  to  consider  only  MPLOF’s  that  saturate 
all  transitions  of  X'.  But  for  such  a  MPLOF  h, 

max{a  :  u  G  src (q)  :  h(u )  —  p9(u,  tar(g),  q)  +  6(u,  tar(g),  q)}  =  h(tar(q)) 

holds  for  any  template  q  by  (4.43),  (4.60),  and  Lemma  4.10.  Since  every 
transition  is  the  target  of  a  unique  template,  [ h ,  X'j  =  2\h\.  The  validity  of 
this  lemma  then  follows  from  (4.53).  Q.E.D. 
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4.7.2  The  “Smallest”  MPLOF  of  an  XER-System 

In  this  sub-section,  we  will  show  that  there  is  a  MPLOF  h*  for  any  repetitive 
XER-system  X'  such  that  (4.68)  holds.  The  proof  relies  on  the  following 
result. 

Lemma  4.20  Let  v  be  a  transition  that  is  disjunctively  caused.  Let  q0  and 
q1  be  two  templates  with  target  v.  Let  Xq  and  X[  be  two  scenarios  that  are 
identical  except  that  %  is  a  template  in  the  former  and  qx  is  a  template  in 
the  latter.  Suppose  that  Xq  is  a  critical  scenario  with  MPLOF  h  and 

h(v)  >  max{w,  :  u  E  src(<q)  :  h(u)  —  p9(u,  v,  qx)  +  S(u,  v.  qx)}.  (4-67) 

Then,  his  a  MPLOF  of  X[  and  C(X{)  C  C(A%). 

Proof:  For  v  ^  v,  let  qv  be  the  unique  template  in  Xq  with  target  v.  Then, 
qv  is  also  the  unique  template  in  X[  with  target  v.  Thus,  h  is  a  MPLOF 
implies 


h(v)  >  max{?t  :  u  E  src(qv)  :  h{u )  —  p9(u,  v,  qv )  +  6(u,  v,  qv )} 

for  all  v  /  v.  This  observation  and  (4.67)  imply  h  is  MPLOF  of  X[  since 
period(T’i)  cannot  be  less  than  p  by  Theorem  4.1. 

Next,  suppose  re  is  a  transition  in  C(X[)  \  C(Xq).  Let  p'  be  the  critical 
cycle  of  X[  which  contains  w.  Since  w  is  not  in  C(Xq),  p'  contains  a  template 
not  in  Xq,  namely,  qv  So,  there  exists  u  G  src(^1)  such  that  p'  can  be  written 
as  the  concatenation  of  (u,  qx,  v)  and  a '  that  is  a  path  from  v  back  to  u. 
Now,  by  Lemma  4.13, 

h(u )  >  h(v)  —  p9{o')  +  8{a'). 


By  (4.67), 

h(v)  >  h(u )  -  p9(u ,  v,  qx)  +  6(u,  v,  qx)  >  h(v)  -  p9(p')  +  S(p'). 

But  then  p  >  contradicting  the  assumption  that  p'  is  a  critical  cycle  of 
a  critical  scenario.  This  contradiction  establishes  the  lemma.  Q.E.D. 
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Lemma  4.21  There  exists  a  MPLOF  h*  of  X'  such  that ,  for  any  transition 

% 


h*(v)  =  min{g  :  q  e  R'  Av  =  tar (q)  :  ,  . 

max{it  :  u  G  src(q)  :  h*(u)  —  p9(u,  v,  q)  +  5(u,  V,  g)}}.  1  ' 

Proof:  Let  the  critical  scenarios  of  X'  be  Xq,  X[,  . . .,  X'M.  where  X'm  = 
(E1,  R'm,  6,  9).  Let  B  satisfy  (4.41).  By  Lemma  4.17  and  Lemma  4.19,  let 
be  the  MPLOF  satisfying 


h*m(C(XL))  >  B ,  and  (4.69) 

=  min{/i  :  _  _  u 

h  is  a  MPLOF  of  X'm  A  h(C(X. ’L))  >  B  :  {h,X^j}.  K  J 

Let  /i  =  min{m  ::  A^]}.  W.l.g.,  assume  [/iq,  Xq\  =  fi  and  let  h*  be  h^. 

We  will  now  show  that  (4.68)  is  satisfied.  Let  v  be  an  arbitrary  transition. 
Let  q0  be  the  unique  template  with  target  v  in  Xq.  Since  h*  is  hf.  by  (4.54) 
of  Lemma  4.17, 

h*(v)  =  max{«  :  u  G  src(^0)  :  h*(u)  —  pd(u,  v,  q0)  +  6(u,  v,  %)}.  (4.71) 

Suppose,  toward  a  contradiction,  that  (4.68)  does  not  hold.  Then,  there 
exists  a  template  qY  in  X'  with  target  v  such  that 

h*(v )  >  max{-u  :  u  G  src(§1)  :  h*(u )  —  p9(u,  v,  q x)  +  b{u,  v,  g1)}.  (4.72) 

Let  X'  be  the  scenario  that  is  identical  to  Xq  except  that  q0  is  replaced  by  q1. 
By  Lemma  4.20,  h*  is  a  MPLOF  of  X' .  Thus,  X'  is  a  critical  scenario  and, 
w.l.g.,  let  X'  be  X[.  Also,  by  the  same  lemma,  C(X[)  C  C(Xq).  So,  since 
(4.69)  holds  with  m  =  0,  h*(C(X{))  >  B.  Therefore,  by  (4.70)  with  m  =  1, 

[h*,Xij  >  [ h*,X[l  (4.73) 

Now,  since  Xq  and  X[  are  identical  except  for  the  templates  involving  v, 
(4.71)  and  (4.72)  imply 

[h*,Xft>[h*,Xi].  (4.74) 

This  inequality  and  (4.73)  contradict  the  minimality  of  p  =  [h*,  Xq\.  Hence, 

(4.68)  holds  for  v  and  the  lemma  is  established.  Q.E.D. 
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4.7.3  Closeness  of  Approximation 

Theorem  4.2  Let  t  be  the  timing  simulation  of  a  repetitive  XER-system 
X'  =  ( E ',  R' ,  6,  9)  whose  scenarios  are  all  strongly  connected.  Let  t  be  any 
MPLTF  of  X' .  Then,  there  exists  a  constant  B  such  that 

Mu,  i  :  u  G  E'  A  i  G  IN  :  t{u,  i )  —  t{u,  i)  <  B  (4-75) 

and  B  does  not  depend  on  u  or  i. 

Proof:  Let  X  be  the  XER-system  induced  by  X' .  Let  the  period  of  X'  be  p 
and  let  h *  be  a  MPLOF  of  X'  that  satisfies  (4.68).  Define 

t*(u,  i)  =  h*{u)  +  pi. 

Recall  the  definition  of  0max  and  the  fact  that  if  v  =  tar  (q),  then  for  all  i, 
i  >  #max, 

(u,  j)  G  src(g  \i )  (u,i  —  9{u,  v,  q ))  G  src(q). 

So,  for  i  >  ^max,  (4.68)  implies 

t*(v,  i )  =  min{5  :  q  £  R'  A  h  =  tar(^)  : 

maxjit  :  u  G  src(g)  :  t*(u,  i  —  9{u,  v,  q))  +  b(u,  v,  §)}}. 

Let 

B*  =  max{u,  i  :  u  G  E'  A  i  <  (Tmax  :  t*(u,  i )  —  t(u,  i)}. 

Suppose  that 

Z  =  {n,  i  :  v  G  E'  A  i  G  IN  A  t*(v,  i)  —  t(v,  i)  >  B*  :  ( v ,  i)} 

is  not  empty.  Then,  since  only  XER-systems  with  acyclic  constraint  graphs 
are  considered,  there  exists  an  element  ( v ,  i)  in  Z  such  that  for  any  event 
(u,  j)  in  E  and  any  rule  q\i  m  R, 

(u,  j )  G  src (q  |h)  A  (v,  i)  =  tar  (q  |"i)  (u,  j)  (£  Z.  (4.79) 

Clearly,  i  >  0max  by  (4.78).  If  (v,i)  is  in  init(A’),  then  (4.76)  implies  any 
templates  with  v  as  target  has  an  empty  set  of  sources.  This  relationship 


(4.76) 

(4.77) 

(4.78) 
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implies  that  there  is  no  edge  leading  into  v  in  the  collapsed-constraint  graph 
of  X',  contradicting  the  strong  connectivity  of  the  graph. 

Alternatively,  if  (v,i)  ^  init(A’),  then,  by  (4.79), 

V(u,j),q:  ( u,j )  G  src (q\i)  A  (v,i)  =  tar (q\z)  : 

t*(u,j )  -  t(u,j)  <  B*. 

So,  by  the  dehnition  of  timing  simulation  and  (4.77),  and  t(v,i)  are 

obtained  by  taking  the  minimum  and  maximum  over  the  same  sets  of  tem¬ 
plates  and  source  transitions.  Thus,  Corollary  4.7  implies 

t*(v,  i)  —  t(v,  i)  <  B '*, 

which  contradicts  ( v ,  i)  G  Z.  Therefore,  Z  is  empty  and  (4.75)  with  t*  and 
B *  in  place  of  t  and  B  holds. 

Let  t  be  any  other  MPLTF  of  X'  and  let  h  be  the  associated  MPLOF. 
Define 

B0  =  max{u  :  u  G  E'  :  h{u )  —  h*(u)}. 

Then,  for  all  (v,  i)  G  (E*  x  IN), 

t(v,  i )  —  t(v,  i )  =  t(v,  i )  —  t*(n,  i)  +  t*(v,  i )  —  t(v,  i)  <  B0  +  B*. 

So,  setting  B  to  B0  +  B*  establishes  the  theorem.  Q.E.D. 

Note  that  (4.75)  may  not  hold  if  a  critical  scenario  X'  is  not  strongly  con¬ 
nected.  In  [15],  there  is  no  requirement  of  strongly  connected  scenarios  and 
Gunawardena  is  able  to  give  necessary  and  sufficient  criteria  for  a  condition 
that  would  imply  (4.75);  however,  the  results  are  valid  only  if  there  are  at 
most  two  initial  events.  Since  we  allow  arbitrary  number  of  initial  events  and 
have  already  argued  that  the  scenarios  of  many  practical  systems  are  strongly 
connected,  we  believe  Theorem  4.2  represents  a  significant  contribution  to 
the  theory  of  timing  analysis. 


4.8  Summary 

We  have  extended  the  concept  of  ER-systems  so  that  inherently  disjunc¬ 
tive  systems,  which  arise  from  PR’s  with  guards  that  are  not  mutex,  can 
be  modeled.  Furthermore,  we  have  shown  that  the  period  of  a  repetitive 
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XER-system  is  a  good  indication  of  its  performance.  Thus,  to  determine  the 
performance  of  a  circuit,  it  is  sufficient  to  represent  the  circuit  as  a  repetitive 
XER-system.  Chapter  7  describes  how  this  representation  can  be  achieved 
systematically.  Furthermore,  if  the  delays  between  transitions  in  the  circuit 
are  specified  as  functions  of  transistor  sizes,  then  the  performance  of  circuit 
can  be  optimized  by  finding  sizes  that  minimize  the  period  of  the  correspond¬ 
ing  repetitive  XER-system. 

To  compute  this  period,  one  can  use  the  methods  described  in  [6]  to  find 
the  periods  of  the  scenarios  and  then  select  the  minimum.  Since,  in  practice, 
the  number  of  transitions  with  more  than  one  set  of  causes  and  the  number  of 
alternative  sets  of  causes  for  a  particular  transition  are  both  relatively  small, 
this  approach  is  usually  acceptable.  Alternatively,  when  numerical  values 
have  been  given  for  the  delays,  one  can  start  with  an  arbitrary  scenario 
and  use  Lemma  4.12  to  selectively  add  and  remove  templates  so  that  not 
all  scenarios  have  to  be  analyzed.  Finally,  when  the  delays  are  functions  of 
transistor  sizes,  heuristics  can  be  used  to  search  for  the  optimum  period  for 
the  entire  XER-system  instead  of  doing  it  for  each  individual  scenario. 


72 


Chapter  5 

Cumulative  State  Graphs 


We  have  chosen  cumulative  state  graphs  as  our  basic  framework  for  analyzing 
the  behavior  of  a  PR  set.  Many  properties  of  these  graphs  will  be  presented 
in  this  chapter.  In  particular,  the  notions  of  minimal  cycles ,  minimal  periods, 
and  separable  graphs  will  play  a  major  role  in  subsequent  chapters. 


5.1  Definitions 

5.1.1  Events  and  States 

Let  V  be  a  closed  PR  set  with  K  variables.  Then, 

•  X{V)  =  x0,%i, . .  .xk-i  is  the  set  of  variables  of  V ; 

•  £(V)  =  X(fP)  x  IN  is  the  set  of  events  of  V; 

•  S('P)  =  INa  is  the  set  of  cumulative  states 1  of  V. 

For  an  event  a  =  { Xk,l ),  the  variable  of  the  event  is  var(a)  =  Xk,  and 
the  occurrence  number  of  the  event  is  oc(a)  =  l. 

Intuitively,  event  (xk,l)  represents  (approximately)  the  Z-th  occurrence 
of  a  transition  on  the  variable  Xk ■  For  a  state  a,  its  fc-th  component1 2  being 

1For  brevity,  in  the  sequel,  a  state  is  taken  to  mean  a  cumulative  state  unless  stated 
otherwise. 

2For  a  vector  such  as  a  €  S(P),  we  use  a[k]  to  denote  the  fc-th  component  of  the  vector. 
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I  implies  that  ( Xk,l )  has  taken  place  in  that  state  but  (xk,l  +  1)  has  not. 
These  notions  will  be  formally  defined  below. 

The  concept  of  cumulative  states  (but  not  indexed  events)  has  been  used 
in  [37]  whose  authors,  using  more  abstract  techniques,  have  established  re¬ 
sults  similar  to  some  of  those  given  in  this  chapter.  However,  developing 
these  results  under  our  approach  corresponds  more  closely  to  the  operational 
nature  of  PR  sets  and  allows  for  extensions  that  will  be  presented  in  the 
subsequent  chapters. 

Returning  to  our  model,  in  order  to  easily  determine  the  value  of  a  variable 
at  a  given  state,  we  have  adopted  the  following  convention: 


The  occurrence  of  the  event  (xk,  l )  causes  Xk  in  the  new  state 
to  be  true  if  l  is  odd  and  causes  Xk  in  the  new  state  to  be  false 
if  l  is  even. 


So,  for  an  event  7  =  (27,  l ),  the  transition  corresponding  to  7  is 


tran(7)  = 


if  /  is  odd 
if  /  is  even 


and  the  literal  corresponding  to  7  is 


lit  (7) 


Xk  if  l  is  odd 
~^Xk  if  l  is  even. 


(5.1) 


(5.2) 


Also,  we  define  the  Boolean  value  of  a  state  a,  denoted  by  bool(a),  as 
the  element  in  {true,  false}A  whose  components  satisfy 


(bool((r))[fc] 


false  if  a[k\  is  even 
true  if  a[k\  is  odd. 


(5.3) 


The  value  of  Xk  in  state  a  is  then  (bool(<r))[£;],  and,  by  extrapolation,  we 
can  define  the  value  of  any  Boolean  expression  involving  the  variables  x0,  xt  . 
. . . ,  xk-  1  in  state  a. 

Example  5.1:  As  an  illustration  of  the  concepts  of  this  chapter,  let  V  be 
the  PR  set  shown  in  Figure  5.1.  Then,  at  state3  a  =  2211,  bool(cr) 
false,  false,  t  me.  t  rue  .  Thus,  the  values  of  x0  and  Xi  are  both  false  and 
the  value  of  ~^x0  A  ~^X\  is  true  at  a.  □ 


3The  numerical  value  of  a  state  a  is  written  as  the  juxtaposition  a[0]cr[l] . . .  a[K  —  1]. 
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5.1.2  State  Changes 


Definition:  An  event  a  =  { Xk,l )  is  said  to  be  enabled  in  state  a,  denoted 
enb(o,  a),  if  a[k\  =1  —  1  and  the  guard  for  tran(o)  is  true  in  a. 

Example  5.2:  In  the  above  example,  since  <r[2]  =  1  and  the  value  of  ->x0  A 
— irci ,  the  guard  for  x2j,  is  true  at  a,  enb((a;2,  2),  <r).  □ 

Definition:  A  state  ua  changes  to  Gb,  denoted  aa  — >  a b,  if  there  exists  an 
event  a  =  (xk,  l )  such  that 

enb(o,(7a)  A  Gb[k]  =  aa[k\  +1  A  M  k  \k  ^  k  \  ab[k\  =  aa[k]. 

The  event  a  is  said  to  effect  a  state  change  between  aa  and  ab  and  this 
relationship  is  represented  by  aa  ab. 

Note  that  under  this  definition,  a  transition  on  a  variable  is  an  atomic 
action.  To  model  the  situation  where  there  is  an  arbitrary  delay  along  a 
non- iso  chronic  branch,  a  wire  operator  and  a  new  variable  need  to  be  added 
explicitly  as  done  in  Sub-section  2.3.3. 

Example  5.  3:  Since  enb((z2,  2),  2211),  2211  2221.  □ 

Definition:  The  relationship  leads  to,  denoted  is  the  reflexive,  transi¬ 
tive  closure  of  changes  to.  In  other  words,  it  is  the  smallest  relation  defined 
recursively  by 

1.  <7a  k  )  <Ja. 

2.  Ga  k  >  Gb  A  Gb  >  Gc  Ga  k  )  Gc. 


In  the  definition  below,  crjnp  can  be  any  member  of  E( V ).  In  particular, 
one  can  assume  that 


°init 


0  if  the  initial  value  of  Xk  is  false 
1  if  the  initial  value  of  Xk  is  true. 


Definition:  The  (cumulative)  state  graph  of  V  for  a  given  initial  state  crjnp 
is  a  labeled  directed  graph  T(V,  =  (S,  C)  where 
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a  :  a}; 


•  S  =  {a  :  a  €  £(P)  A  ainit 

•  C  =  {cra,  ab,  a  :  aa  E  S  A  ab  E  S  Aa  E  8{V)  Aaa-^Uab  :  (cra,  cr6,  a)}. 

S  is  the  set  of  states  of  T  and,  in  the  sequel,  unless  specifically  stated 
otherwise,  all  states  are  those  that  are  reachable  from  the  initial  state  and 
will  be  represented  by  a,  r,  (f>,  or  p.  Events  will  be  represented  by  a,  [3 ,  7, 
or  6.  Furthermore, 

CtO  OL\  Oir i-l 

a0 — >  0\ — ►  •••  — ►  on 

denotes  the  fact  that 


Vi  :  0  <  i  <  n  :  (<jj,  <ri+1,  cq)  G  C 


and  such  a  set  of  connected  edges  will  be  referred  to  as  a  path  in  the  graph. 
The  length  of  the  path  is  n  and  cq,  for  i  such  that  0  <  i  <  n,  is  said  to 
occur  in  the  path.  Also,  we  will  use  oa  -*r^crb  to  denote  any  path  from  aa 
to  ab  (including  the  one  with  zero  length),  if  the  identities  of  the  events  and 
intermediate  states  in  the  path  are  immaterial. 

Example  5.4:  Figure  5.1  shows  a  PR  set  and  the  beginning  part  of  its 
state  graph  starting  at  initial  state  cqnit  =  0000.  To  avoid  cluttering  up  the 
picture,  the  labels  of  some  of  the  edges  are  not  given;  however,  they  should 
be  obvious  from  context.  □ 

5.2  Basic  Properties 

5.2.1  Weights  and  Paths 

In  this  section,  we  list  some  basic  properties  of  state  graphs  for  future  refer¬ 
ence. 

Definition:  The  weight  for  a  state  a  is  wt(cr)  =  Y.k= 0  a[k\- 


Lemma  5.1  If  uq  — '->■  •  •  ■  an,  then  wt(cr„)  =  wt(<r0)  +  n. 

Proof:  Use  the  definition  of  state  change  and  induction  on  n.  Q.E.D. 
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Lemma  5.2  If  cr0  — ^  &i  —A  •  •  •  C^-A  crn  and  A  —  {i  :  0  <  i  <  n  :  eg},  then 
for  any  k,  0  <  k  <  K ,  a0[k\  <  an[k\  and 

VZ  ::  (<T0[fc]  <  l  <  crn[k\  ^  (. Xk ,  l)  €  .A).  (5.4) 

Proof:  Use  the  definition  of  state  change  and  induction  on  n.  Q.E.D. 


Lemma  5.3  Suppose  there  exist  states  and  events  such  that 


a 


Oin-2 


7~n—  1 


Oin—\ 


(5.5) 


and 

A)  <  A  fim— 2  ,  fim— 1  /c 

(7 >  fa >  •••  >  - >  cr6.  (5.6) 

Let  ^4={i:0<i<n:  Oj}  and  ^  =  {i:0<i<m:  A}-  Then,  A  —  B  if 
and  only  if  aa  —  a^. 


Proof:  By  Lemma  5.2,  A  is  determined  uniquely  by  aa,  and  vice  versa.  So, 
A  —  B  ^  aa  —  at,.  Q.E.D. 

A 

As  a  notational  shorthand,  we  will  use  oa  -*r^crb  to  denote  the  facts  that 
there  is  a  path  from  cra  to  ab  and  A  is  a  set  of  events  occurring  along  that 
path.  By  Lemma  5.3,  A  is  unique.  In  the  sequel,  A,  B ,  C,  and  V  will  be 
used  to  represent  sets  of  events. 


5.2.2  Stable  Graphs 

In  a  stable  PR  set  V,  if  two  transitions  are  enabled,  then  firing  one  does  not 
cause  the  other  to  become  not  enabled.  This  property  is  reflected  in  the  state 
graph  of  V  by  the  following  definition  which  is  illustrated  in  Figure  5.2 

Definition:  A  state  graph  T  is  stable  if  for  any  a  A  A 

/  OL  \  /?  CK\ 

(<ra  — t  ab  A  <j a  — >  <j c )  (3  ad  ::  ab  — >  ad  A  ac  — >  ad). 

Since  only  stable  PR  sets  are  produced  by  the  compilation  method,  from 
now  on,  all  state  graphs  are  assumed  to  be  stable  unless  stated  otherwise.  As 
an  aside,  it  should  be  pointed  out  that  stability  in  a  state  graph  is  analogous 
to  semi-modularity  in  a  lattice  [3].  However,  since  some  of  the  later  results 
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Figure  5.2:  Stability  in  a  state  graph 


apply  only  to  state  graphs  and  not  to  lattices  in  general,  we  have  decided 
not  to  employ  any  lattice  theory  and,  instead,  start  from  first  principles  as 
given  above. 

The  next  two  results  apply  the  stability  property  to  paths  in  which  no 
common  event  occurs.  Lemma  5.6  and  Lemma  5.7  then  investigate  the  more 
general  situation. 


«o  a  i 
Co  — ►  Ci  — > 


®n— 1 


(5.7) 


Lemma  5.4  If 

<7q  -—7  r0,  and  V  i  :  0  <  i  <  n  :  ati  /3,  then  there  exists  {i  :  1  <  i  <  n  :  r*} 
such  that 

a0  ai  Oin-i 

To  >  T\  7  •  •  •  7  Tn 


and  V  i  :  1  <  i  <  n  :  enb(/3,  cr,)  A  a,  — >  t,. 

Proof:  Use  stability  and  induction  on  n.  Q.E.D. 


Lemma  5.5  If 


Qq  Oil 

c0,0 - >  Ci,o  - > 


Otn—2  1 

^  Cn— 1,0  ^  cn,0 


and 


fio  /?1  fim—  2  (dm— 1 

c0,0 — ►  c0;i — ►  •••  — ►  c0,m_i  — 7  <70,m 


and  {i  :  0  <  i  <  n  :  cej}  fl  {i  :  0  <  i  <  m  :  /%}  =  0,  then  there  exists 
{i,  j  :  1  <  i  <  n  A  1  <  j  <  m  :  ai:j}  such  that 


an  .  fdj 


Vi,j:0<i<nA0<j<m:  aid  — b  ai+1J  A  aid  aiJ+1.  (5.8) 
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Proof:  Use  Lemma  5.4  and  induction  on  m.  See  Figure  5.3  where  the  state 
changes  stated  in  the  hypothesis  are  shown  in  bold.  Q.E.D. 


Lemma  5.6  If  (5.7)  holds,  and  there  exists  i  such  that  0  <  i  <  n  and 
enb(cp,  (Tq),  then  there  exists  {i  :  0  <  i  <  i  :  such  that 


Oi  0  Oil  ai-2  OL\- 1  1  Oin~  i 

Tq  >  Ti  ►  •  •  •  ►  Ti_i  >  <Tj+i  >  (7j+2  •  •  •  > 


(5.9) 


Proof:  By  definition  of  a  state  graph,  enb(o,,(To)  implies  there  exists  r0 
such  that  <r o  — U  r0.  Apply  Lemma  5.4  to  this  relationship  and 

OLq  Oil  ai~2  Oli-I 

(Tq  - >  G\  - >  •  •  •  - >  <Ji-l  - >  (T, 


to  get  the  existence  of  {i  :  0  <  i  <  i  :  r,}  such  that 

Oil  oi  0  Oil  ai-2  Oil- 1 

(Tq  ►  Tq  ►  Ti  >  •  •  •  >  Ti-i  ►  T%. 


(5.10) 
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But  since  the  set  of  events  occurring  in  a0-k->Ti  is  the  same  as  the  set  of 
events  occurring  in  a0  -k-+ai+1,  r5  =  cp+1  by  Lemma  5.3  and  (5.9)  holds. 

Q.E.D. 


Lemma  5.7  If 


A  B 

(J  >  (7 a  A  (7 


then  there  exists  state  r  such  that 


B\A  A\B 

o a  T  A  ab  r. 


(5.11) 

(5.12) 


Proof:  Use  induction  on  the  size  of  B. 

Base  Case:  (\B\  —  0)  In  this  case,  ab  —  a.  So,  let  r  =  ua. 

Inductive  Step:  Suppose  \B\  >  0.  This  situation  implies  there  exist  ab, 
B.  and  i3  such  that 

a-k->ab — >  ab  (5.13) 

and  B  =  £>  l±l  {/?}.  By  the  inductive  hypothesis,  there  exists  state  f  such  that 


B\A  A\B 

&a  T  A  ab  -*->■  T. 


(5.14) 


Consider  the  following  two  cases: 

Case  1:  (,9  (A  \  B))  This  case  implies  (3  A  or  (3  €  B.  But  (3  B  by 
(5.13);  so,  [3  A.  Furthermore,  by  Lemma  5.4  and  the  second  half  of  (5.14), 
there  exists  r  such  that 


A\B 

r  A  ab  r. 


So,  because  (3  A.  the  set  of  events  occurring  in  ua  t  is  ((£>  \  A)  U 

{/?})  =  (B\A)  and  the  set  of  events  occurring  in  ab  r  is  (A\B)  —  ( A\B ). 

Case  2:  (j3  G  (A  \  B))  This  case  implies  (3  €  A.  Also,  by  Lemma  5.6, 


at,  r. 


Let  t  —  ?.  Then,  due  to  [3  €  A,  the  set  of  events  occurring  in  ua  -*->r  is 
(B\A)  —  ( B\A )  and  the  set  of  events  occurring  in  ab  is  {{A\B)\{(3})  = 
(A\B).  Q.E.D. 
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5.2.3  Descendents  and  Ancestors 


Definition:  A  state  <j>  is  a  descendent  of  a  if  a  A  state  (p  is  an  ancestor 

of  a  if  <j)  A  state  ^  is  a  common  descendent  (or,  alternatively,  common 

ancestor )  of  aa  and  a b  if  ^  is  a  descendent  (ancestor)  of  both  aa  and  ab.  A 
state  (j)  is  a  closest  common  descendent  (c.c.d.)  of  aa  and  if  it  is  a  common 
ancestor  of  aa  and  a/,  and 

\/(j)  :  (j)  is  a  common  descendent  of  aa  and  ab  :  wt(^)  >  wt(<^).  (5.15) 

A  state  (j)  is  a  closest  common  ancestor  (c.c.a.)  of  aa  and  at,  if  it  is  a  common 
ancestor  of  aa  and  at,  and 

\/(j)  :  4>  is  a  common  ancestor  of  aa  and  at,  :  wt(<fi)  <  wt(<fi).  (5.16) 


Example  5.5:  In  Example  5.4,  let  aa  =  1010  and  at,  =  0110.  Then,  1110, 
1111,  2111,  etc.  are  their  common  descendents.  Since  1110  has  the  least 
weight,  it  is  their  c.c.d.  This  observation  can  be  generalized  by  the  following 
lemma.  □ 

Lemma  5.8  Any  two  states  aa  and  at,  have  a  unique  c.c.d.  r  defined  by 

Vfc  :  0  <  k  <  K  :  r[k]  —  ma x.{aa[k],ab[k\}.  (5.17) 

Proof:  Let  k  be  an  arbitrary  variable  index.  By  Lemma  5.2,  if  r  is  a  common 
descendent  of  aa  and  at,,  then 

r[k]  >  ma x.{aa[k],  ab[k]}.  (5.18) 

Thus,  if  any  common  descendent  r  satisfies  (5.17),  then  r  is  the  unique  c.c.d. 

Next,  in  Lemma  5.7,  let  a  =  and  consider  the  state  r  guaranteed 
by  that  lemma.  First,  r  is  a  common  descendent  of  aa  and  at,.  Also,  by 
Lemma  5.2,  ( Xk ,  r[k])  is  in  AU  (B\A)  and  BU(A\B).  So,  ( Xk ,  r[k])  G  AUB 
which  implies,  by  Lemma  5.2, 

r[k]  <  aa[k]  V  r[k]  <  ab[k].  (5.19) 

By  (5.18),  at  least  one  of  these  two  inequalities  is  an  equality  and  (5.17) 
holds.  So,  t  is  the  unique  c.c.d.  of  aa  and  ab.  Q.E.D. 
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Corollary  5.9  For  any  two  state  a  and  r, 

a -kr^r  Vfc  ::  a[k\  <  r[k\.  (5.20) 

Proof:  The  “if”  part  is  from  Lemma  5.2.  The  “only-if”  part  is  due  to  r 
being  the  c.c.d.  of  a  and  r.  Q.E.D. 

Since  is  the  common  ancestor  of  any  two  states  and  there  is  an  upper 
bound  on  the  weight  of  any  ancestor  of  a  state,  a  c.c.a.  exists  for  any  two 
states.  However,  an  analogy  to  (5.17)  for  defining  the  c.c.a.  does  not  exist  as 
the  following  example  illustrates.  Instead,  we  need  to  establish  Lemma  5.10 
in  order  to  show  that  the  c.c.a.  of  any  two  states  is  unique. 

Example  5.6:  Continuing  with  the  previous  example  where  aa  —  1010  and 
07  —  0110.  Then,  p  —  0000  is  the  only  common  ancestor  of  the  two  states 
and  is  therefore  their  c.c.a.  However,  p[2]  A  min{<ja[2], cp,[2]}.  □ 

A  B 

Lemma  5.10  Let  p  be  a  c.c.a.  of  <ra  and  &b  with  p-*->07  and  p-*— >07.  If 
enb(y,  p),  then  7  ^  (An  B). 

Proof:  Assume,  toward  a  contradiction,  that  enb(7,  p)  and  7  €  (^4  PI  B). 
By  Lemma  5.6,  there  exist  ra  and  77  such  that 

7  ^\(7}  7  #\{7} 

P  *  Ta  k  >  <Ja  A  p  *  Tf)  k  >  07. 

But  then,  by  Lemma  5.3,  ra  —  Tb,  and  therefore  ra  is  a  common  ancestor  of 
07  and  (7b ■  Moreover,  by  Lemma  5.1,  wt(ra)  =  wt(p)  +  1.  This  equation 
violates  the  hypothesis  that  p  is  a  c.c.a.  of  07  and  07.  Q.E.D. 

Lemma  5.11  Let  p  be  a  c.c.a.  of  aa  and  <Jb-  If  p  be  a  common  ancestor  of 
<ja  and  Ub,  then  p-kr^-p. 

C  _  V 

Proof:  Let  f>  be  a  c.c.a.  of  p  and  p  with  <f>  -*-> p  and  (p  -k-+  p.  Suppose,  toward 
a  contradiction,  that  <p  A  P-  Then,  there  exists  7  and  <p  such  that  7  €  C  and 
enb(7,  <p).  By  Lemma  5.10,  7  ^  V  and  therefore,  by  stability,  enb(y,  p). 

Now,  7  occurs  in  (f>  -kr^p  -*—>07;  so,  it  occurs  in  (f>  > p  -*—>07.  Since 

7  i  V,  7  occurs  in  p  -*—>07.  Similarly,  7  occurs  in  p  ^*^07.  By  Lemma  5.10, 
these  two  relationships  and  enb(y,  p)  contradict  the  hypothesis  that  p  is  a 
c.c.a.  of  <7 a  and  07.  Thus,  <p  —  p  and  p-k-tp.  Q.E.D. 
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Corollary  5.12  Two  states  have  a  unique  c.c.a.. 

Proof:  Let  p  and  p  both  be  c.c.a.s  of  the  two  state.  By  the  previous  lemma, 
p-k-^p  and  p~k-±p.  Thus,  p  —  p .  Q.E.D. 

We  conclude  this  section  with  two  other  consequences  of  Lemma  5.10  that 
will  be  useful  later. 

Lemma  5.13  Let  p  be  the  c.c.a.  of  aa  and  cp,  and  p  be  any  of  their  com¬ 
mon  ancestors.  If  a  occurs  in  p^*r->aa  but  not  in  p~k-KJb,  then  a  occurs  in 
p-k-+aa. 

Proof:  Consider  the  two  paths  p  -k-> p  -k-+ua  and  p  -*->■ p  xq,.  Since  a 
occurs  in  the  first  but  not  the  second,  it  occurs  in  p  aa .  Q.E.D. 


A 


B 


Lemma  5.14  If  a-k-^r,  and  B  C  A,  then 


A\B 

a  —k — >  <ft. 


Proof:  Let  p  be  the  c.c.a.  of  a  and  (p.  If  p  A  ai  then  let 

a  A 

p  — *  p  —k — >  a  —k — >  r. 


(5.21) 


By  Lemma  5.10,  a  does  not  occur  in  p-k-^cp.  Also,  by  (5.21),  a  ^  A  which 

B 

implies  a  ^  B.  Therefore,  a  does  not  occur  in  p  -k-xp  contradicting 

(5.21)  and  Lemma  5.3.  Therefore,  p  —  o  and  a -*-></>.  The  set  of  events  on 
the  path  then  follows  from  Lemma  5.3.  Q.E.D. 


5.3  Cycles  and  Periods 

5.3.1  State  Offsets 

Besides  being  a  state  of  E('P),  ir  G  INA  can  also  be  considered  as  a  “state 
offset”  since,  for  any  state  a  and  any  state  offset  7 r,  we  can  define  t  —  a  +  7r 
as  a  state  in  E(P)  by 


Vi  :  0  <  i  <  K  :  r[i]  =  cr[i]  +  7r[i  . 


(5.22) 
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If  ajnjt  -* ->r,  then  r  is  also  a  state  of  T(V,  cqnq.).  The  expression  a  —  7r  is 
similarly  defined  provided  Vi  :  0  <  i  <  K  :  a[i]  >  7r[fc].  Likewise,  for  q  >  0, 
qir  denotes  the  state  offset  such  that  (qTr)[k]  —  q  (vr [A:] ) .  Also,  for  two  state 
offsets,  7T  and  u,  tt  <  lu  denotes  Vfc  :  0  <  k  <  K  :  tt [fc]  <  u[k].  and  7r  <  uj  is 
equivalent  to  (7r  <  lu)  A  (tt  /  u). 

Next,  we  use  the  following  definition  to  capture  the  notion  of  “adding” 
and  “subtracting”  a  state  offset  to  an  event. 

Definition:  For  an  event  a  =  ( xk,l )  and  a  state  offset  tt,  the  (positive) 
extension  of  a  by  tt  is  the  event  (a  ©  tt)  —  (xk,  l  +  Tr[k]).  Similarly,  provided 
°"init  [^]  <  l  ~  7r[fc],  the  negative  extension  of  a  by  tt  is  the  event  (a  0  tt)  = 
(xk,l  —  Tr[k]).  Also,  we  will  use  (^4  ©  tt)  to  denote  the  set  {a  :  a  G  A  : 
(a  ©  7r)}  and  analogously  for  (^4  ©  tt). 

By  Lemma  5.2,  for  any  path 

a^k^(a  +  Tr),  (5.23) 

the  number  of  distinct  cq's  with  var(oj)  =  Xk  is  precisely  (<r0  +  7r)[fc]— cr0[fc]  = 
7r[fc].  So,  the  set  of  variables  that  occur  in  the  path  is  a  function  of  tt  and 
not  of  a.  Thus,  for  reference,  we  borrow  the  following  definition  from  [37]. 

Definition:  For  a  state  offset  tt,  the  spanning  set  of  tt  is  span(7r)  =  {k  : 
TT[k]  /  0  :  xk}. 

Note  that  in  (5.23),  span(-7r)  is  determined  by  the  events  in  A.  So,  for 
convenience,  we  overload  the  meaning  of  span()  and  define  the  spanning  set 
of  a  set  of  events  A  as 

span(*A)  =  {k,l :  {xk,  l)  e  A  :  xk}. 

With  this  definition,  the  path  in  (5.23)  implies  span(7r)  =  span(^4). 

5.3.2  Cycles 


Definition:  The  path  a0  ~*~^crn  is  called  a  cycle  if  A  A  0  and  bool(<r0)  = 
bool(<7,j).  The  period  of  the  cycle  is  the  state  offset  tt  such  that  an  —  a0  +  7T. 
A  state  offset  tt  is  a  period  if  it  is  the  period  of  any  cycle. 
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Since  the  length  of  any  cycle  is  at  least  one,  its  period  is  not  the  zero- 
vector.  Also,  by  the  definition  of  the  Boolean  value  of  a  state,  if  r  =  a  +  tt, 
then  bool(a)  =  bool(r)  if  and  only  if  7T  has  only  even  components. 

Example  5.7:  Referring  back  to  Figure  5.1,  0100  ^*r->2322  is  a  cycle  in  the 
graph  with  period  2222.  □ 

The  following  lemma  verifies  the  intuitive  notion  of  what  it  means  for  two 
states  to  have  the  same  Boolean  value.  Some  of  its  immediate  consequences 
are  listed  afterward  for  future  reference. 


Lemma  5.15  If  there  exist  state  offset  7r  and  states  a  and  r  such  that 

bool(a)  =  bool(r)  A  r  =  a  +  7T,  (5.24) 

then 

(Vo  ::  enb(«,  a)  enb(«  ©  7T,  t))  A  ,  , 

(V/3  ::  enb(/3,  r)  enb(/3  ©  7T,  a)). 


Proof:  Suppose  enb(/l,  r).  Let  3  =  (xk,  l )■  Then,  by  definition,  r[k]  —  l  —  1 
and  the  guard  for  tran(:rfc)  is  true  in  state  r.  But  bool(r)  =  bool((j);  so, 
the  guard  for  tran(:rfc)  is  true  in  state  a  as  well.  Moreover, 

cr[k\  =  (r  —  7r)[fc]  =  r[k]  —  7r  [k]  —  (l  —  1)  —  Tr[k]. 

Thus,  (/?  ©  7r)  =  ( Xk ,  l  —  ir [k])  is  enabled  in  state  a  and  the  second  half  of 
(5.25)  is  established.  Alternatively,  if  enb(cq  a),  then  by  analogous  argu¬ 
ments  to  the  ones  above,  the  first  half  of  (5.25)  holds.  Q.E.D. 


Lemma  5.16  If  there  exist  state  offset  ir  and  states  a  and  t  such  that  (5.24) 
holds,  then,  for  n  >  0, 


(a  =  (TqJ  — ►  cq 


ai 


&n— 1 


(5.26) 


if  and  only  if 

l  (  .  \  \  <*0  ©  TT  y  \  ©  7T  O^n— 1  ©TT/  \ 

(r  =  (do  +  7r))  - >  (cri  -|-  7T)  - >  •••  - >  (crn+7T).  (5.27) 

Proof:  Use  Lemma  5.15  and  induction  on  n.  Q.E.D. 
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Corollary  5.17  Given  a  cycle  a 
cycle 


(cr  +  7r),  for  any  q,  q  >  0,  there  exists 


A 


a 


(cr  +  7 r) 


A  ®  7T 


(cr  +  27t) 


^©2tt  A®(q-  l)vr 


(cr  +  57r).  (5.28) 


Proof:  Use  induction  on  q  and  Lemma  5.16. 


Q.E.D. 


Note  that  Lemma  5.16  pertains  only  to  “exiting”  from  two  states  with 
the  same  Boolean  value.  The  analog  for  going  “backward”  from  two  states 
with  the  same  Boolean  value  is  not  valid.  More  precisely,  even  if  (5.24)  holds, 

o a  — >  a  does  not  imply  ( oa  +  7 r)  r,  nor  vice  versa.  See  the  following 

example. 


Example  5.8:  Figure  5.4  shows  the  state  graph  if  we  start  at  the  initial 
state  of  0010  for  the  PR  set  shown  in  Figure  5.1.  Notice  that  even  though 
bool(lllO)  =  bool(3332),  3322 — >  3332  but  1100,  not  being  a  state  in  the 
graph,  does  not  change  to  1110.  Similarly,  bool(1010)  =  bool(3232)  but 
0010  — >  1010  while  2232  does  not  change  to  3232.  □ 

If  a  state  graph  contains  a  cycle  a  -*-+( cr  +  7r),  then  7r  specifies  fully  the 
set  of  transitions  whose  occurrences  after  state  a  leads  to  another  state  where 
all  the  variables  have  the  same  values.  By  Corollary  5.17,  the  same  set  of 
transitions  can  then  occur  at  the  new  state  and  be  repeated  over  and  over. 
Thus,  this  cycle,  with  its  associated  period,  describes  a  possible  steady-state 
behavior  of  the  system.  Furthermore,  the  following  results  show  that  once  a 
state  is  reached  where  the  transitions  associated  with  the  period  7r  can  occur, 
then  this  set  of  transitions  (with  perhaps  different  occurrence  numbers)  can 
occur  at  any  subsequent  state. 


A 

Lemma  5.18  If  a  ( a  +  7r)  is  a  cycle  and  a  — 

B 

t  —k—>  (t  +  7r)  where  B  —  ((^4  U  {(7  ©  7r) })  \  {7}). 


t,  then  there  exists  cycle 


Proof:  Consider  the  two  cases: 

A 

Case  1:  (7  ^  ^4)  By  Lemma  5.4,  there  exists  t  such  that  By 

Lemma  5.2,  ?— r  —  (a  +  ir)  —  a  —  ir.  Thus,  the  lemma  is  valid  in  this  case. 

Case  2:  (7  e  ^4)  By  Lemma  5.6, 


a 


•A  \  {7} 


((7  +  7r). 
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-^3 

-»•  3dT 

-^3 

->  xit 

xo  V  X\ 

-»•  ^2! 

Xo  A  Xi  A  x2 

->  £st 

->•  ®d-1 

->•  Xll 

—iXq  A  —iXi 

->•  a&J. 

-^2 

->•  2&J. 

Figure  5.4:  A  state  graph  with  initial  state  crjnp  =  0010 
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"V  zy  0  7f 

Also,  by  Lemma  5.16,  a  —A  r  implies  (a  +  7 r)  — >  (r  +  7 r).  Concatenating 
this  edge  to  the  path  above  establishes  the  claim.  Q.E.D. 

C 

Lemma  5.19  Given  and  a  cycle  +  7r),  there  exists  cycle 

T  (r  +  7r). 

Proof:  Use  Lemma  5.18  and  induction  on  the  size  of  C.  Q.E.D. 

Note  that  as  the  following  example  shows,  in  Lemma  5.19,  r^*r->(r  +  7r) 
does  not  imply  a  -k-+  (cr  +  7r). 

Example  5.9:  In  Figure  5.4,  the  cycle  1010  3232  implies  the  cycle 

1110  3332  and  so  on.  However,  it  does  not  imply  there  is  a  cycle  starting 

from  0010  even  though  0010  — *  1010.  □ 

5.4  Sub-cycles  and  Minimal  Periods 

Definition:  The  cycle 

<7 (<7  +  7r)  (5.29) 

is  a  sub- cycle  of  the  cycle 

a  (cr  +  7r)  (5.30) 

if  A  C  A..  A  cycle  is  minimal  if  it  has  no  sub-cycles. 

By  the  transitivity  of  C,  any  sub-cycle  of  (5.29)  is  also  a  sub-cycle  of 
(5.30).  Consequently,  every  non- minimal  cycle  contains  a  minimal  sub-cycle. 
Unfortunately,  a  sub-cycle  as  defined  above  is  too  unrestrictive  to  be  useful 
in  many  proofs.  Hence,  in  the  next  subsection,  we  will  show  that  any  non- 
minimal  cycle  contains  a  sub-cycle  that  satisfies  certain  conditions. 

5.4.1  Normal  Sub-cycles 

Definition:  A  sub-cycle  (5.29)  of  the  cycle  (5.30)  is  normal  if 

3V  ::  (aS^a)  A(Dnd-l).  (5.31) 
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One  useful  property  of  a  normal  sub-cycle  is  that  there  is  a  simple  rela¬ 
tionship  between  its  period  and  that  of  its  corresponding  cycle. 


Lemma  5.20  Given  cycles  (5.29)  and  (5.30)  that  satisfy  (5.31),  (5.29)  is  a 
sub-cycle  of  (5.30)  if  and  only  if  it  <  tt. 


Proof:  Since  A  fl  V  —  0,  by  Lemma  5.5,  a  +  7r).  By  Lemma  5.3, 

A  —  A  7r  =  tt;  by  Lemma  5.2,  A  C  A  <©  7r  <  tt.  Q.E.D. 

We  will  next  show  that  any  non-minimal  cycle  contains  a  normal  sub¬ 
cycle. 

A  V 

Lemma  5.21  Given  a  cycle  a  +  tt)  and  a  path  a  >t;  there  exist 

q  >  0,  4>,  and  V  such  that  span(£>)  fl  span(7r)  =  0  and 


a 


>T  ■ 


( <f>  +  q tt). 


Proof:  Partition  D  into  the  sets 


(5.32) 


V  —  {a  :  ol  G  V  A  var(ct)  ^  span(7r)  :  a}  (5.33) 

and  C  —  V  \  V.  Note  that  V  fl  A  —  0.  Next,  choose  q  large  enough  so  that 
for  any  variable  index  k,  ( Xk ,  l)  G  C  implies  l  +  a[k\  <  qTr[k].  By  Lemma  5.17, 
there  exists  cycle 

a  -§->  (a  +  qir)  (5.34) 

and  C  C  B  by  the  choice  of  q.  Applying  Lemma  5.7  to  (5.34)  and  a  -^r 
implies  there  exists  <p  such  that 

V\B ~  B\V _ 

(a  +  q7r)  <j>  A  r  <j>.  (5.35) 

By  (5.33)  and  C  C  B,  {V  \  B)  =  {{V  U  C)  \  B)  =  V  and  (V  ©  qtt )  =  V.  So, 

Ti¬ 
the  hrst  half  of  (5.35)  implies  a  -k->  (<fi  —  gir)  by  Lemma  5.16.  Let  <fi  —  <fi  —  qir\ 

then  the  other  paths  in  (5.32)  follows  from  T>  C  T>  and  the  second  half  of 

(5.35).  Q.E.D. 
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Lemma  5.22  If 


(5.36) 


a  (<7  +  7 r) 

has  a  sub-cycle  of  period  if,  then  it  has  a  sub-cycle 

r  (r  +  if)  (5.37) 

such  that  a  r . 

Proof:  Let 

<7 (d  +  if )  (5.38) 

C 

be  a  sub-cycle  of  (5.36).  Let  r  be  the  c.c.d.  of  a  and  a  with  a  Applying 

C 

Lemma  5.7  to  a  and  (5.38)  yields  the  existence  of  r  such  that 

A\C  ^ 


Now,  if  (xk,l)  G  A,  then  a[k\  <  l  and  a[k\  <  l.  So,  r[k]  <  l  by  Lemma  5.8 
and  (xk,  l )  C.  Hence,  A  fl  C  —  0  and  so  f  =  (r  +  if ) .  Q.E.D. 


Lemma  5.23  If  a  cycle  has  a  sub-cycle  of  period  tt,  then  it  has  a  normal 
subcycle  of  period  if. 

Proof:  Let  the  cycle  be  (5.36)  and,  by  Lemma  5.22,  we  can  assume  that  it  has 

V  ~ 

a  sub-cycle  (5.37)  with  a  -^t.  Then,  by  Lemma  5.2,  A  C  A  implies  ir  <  tt. 
Next,  apply  Lemma  5.21  to  obtain  (5.32).  By  Lemma  5.19,  r  (cp  +  qir) 
and  (5.37)  imply  +  g7r)  ^*r->  {(j>  +  §7r  +  if).  By  Lemma  5.16,  (p  (tfi  +  tt)- 
Setting  a  to  <fi  implies  there  exists  the  cycle  a  +  if).  By  Lemma  5.20, 

this  is  a  normal  sub-cycle  of  (5.37)  since  V  fl  A  =  0  and  if  <  7 r.  Q.E.D. 


5.4.2  Minimal  Periods 

Our  next  goal  is  to  establish  Theorem  5.1  which  states  that  a  cycle  with 
period  7r  is  minimal  implies  all  cycles  with  period  7r  are  minimal.  Toward 
that  end,  we  need  to  establish  some  preliminary  results. 
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Lemma  5.24  Let  a  (a  +  ir)  be  a  normal  subcycle  of  a  (a  +  ir)  with 

V 

<7  —k — >  <t .  Then,  the  followings  hold: 


and 


\  ‘jj 

(d  +  if)  (a  +  7r)  A  (a  +  7r)  ^*r->(a  +  7r); 


a  ^*r->  (a  +  7F  —  7r)  is  a  subcycle  of  a  [a  +  7r). 


(5.39) 

(5.40) 


Proof:  Since  A  fl  V  —  0,  (d  +  7r)  is  the  c.c.d.  of  (d  +  if)  and  (a  +  7 r)  and, 
so,  (5.39)  holds.  By  the  first  part  of  (5.39)  and  bool(d)  =  bool(d  +  if), 
Lemma  5.16  implies  a  -3*r->(d  +  tt  —  if).  But  (if  A  0)  A  (if  <  7r)  is  equivalent 
to  ((-7T  —  if)  A  0)  A  ((7T  —  if)  <  7 r).  So,  by  Lemma  5.20,  (5.40)  holds.  Q.E.D. 


Lemma  5.25  If  the  cycle 


^\M  a 

a  a  a  — 


(cr  +  7r) 


(5.41) 


is  not  minimal,  then  it  has  a  normal  sub-cycle  such  that  a  does  not  occur  in 
the  normal  sub-cycle. 


Proof:  Let  a  ~  (xk,  (cr  +  7r)[k]).  Let  a  (d+if)  be  a  sub-cycle  of  (5.41).  If 
a  occurs  in  the  sub-cycle,  then  (d  +  if)[fc]  =  (a  +  7r)[fc].  So,  (d  +  7r  —  if)[fc]  = 
0  and,  so,  a  does  not  occur  in  d  -kr- >(d  +  7r  —  if)  which,  by  (5.40),  is  another 
sub-cycle  of  (5.41).  Q.E.D. 


Lemma  5.26  Given  cycles 


a  (cr  +  7r) 


and 


B  ,  , 

r^*r^(r  +  7r), 


7 

and  o  —A  r,  (5.f2)  is  minimal  if  and  only  if  (5.f3)  is  minimal. 


(5.42) 

(5.43) 
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Proof:  By  Lemma  5.18, 


B  —  (A  U  {7  ®  7r})  \  {7}. 


(5.44) 


(  <=  )  Suppose  (5.42)  is  not  minimal.  Then,  there  exists  a  normal 
sub-cycle 

<7-^(<t  +  7F).  (5.45) 

X> 

Let  a  and  A  fl  V  —  0.  Also,  note  that  7r  <  7r  by  Lemma  5.20. 

Next,  by  Lemma  5.7,  there  exists  f  such  that 


^  \  {7}  ~  ~  {7}  \  ^  „ 

r  t  A  a  r. 


(5.46) 


By  Lemma  5.19,  (5.45)  and  the  second  part  of  (5.46)  imply  the  existence  of 


rJr->  (t  +  7r).  (5-47) 

Now,  if  (xk,l)  6  V  \  {7},  then  by  Lemma  5.2,  (xk,l)  is  in  V  and  therefore 
not  in  A  since  V  n  A  —  0.  Thus,  7 r[fc]  =  0.  So,  since  span(^)  =  span(-7r), 
(V  \  {7})  fl  B  —  0  and  the  hypothesis  of  Lemma  5.20  is  satisfied  for  (5.47) 
and  (5.43).  Since  if  <  7r,  (5.47)  is  a  sub-cycle  of  (5.43).  Consequently,  we 
have  demonstrated  (5.42)  is  not  minimal  implies  (5.43)  is  not  minimal. 

(  =7  )  Suppose  (5.43)  is  not  minimal.  Let  (5.47)  be  one  of  its  normal 
sub-cycle.  Then  there  exists  V  such  that 


o 


(5.48) 


with  V  fl  B  —  0.  The  last  equality  implies,  by  (5.44)  and  7  ^  V1  V  n  A  —  0. 
There  are  two  cases  to  considered: 

Case  L  (7  ^  A)  In  this  case,  (5.44)  implies  B  =  A.  So,  V  fl  B  —  0 
implies  (V  U  {7})  fl  A  —  0.  Thus,  by  (5.48)  and  Lemma  5.20,  (5.47)  is  a 
sub-cycle  of  (5.42)  which  is  therefore  not  minimal. 

Case  2:  (7  e  A)  In  this  case,  by  Lemma  5.6,  we  have  a  —A  r  and 


^\{7} 


(a  +  7 r) 


7  ©  7 r 


(r  +  7r). 


(5.49) 
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Now,  by  definition, 


(BcB)A(B=(A\  {7})  U  {7  © 7r } ) . 

But,  by  Lemma  5.25,  we  can  assume  (7  ©  tt)  B.  Consequently, 

BC(A\{ri)cA 

with  the  last  inclusion  due  to  7  €  A.  These  relationships  imply  (5.47)  is 
a  sub-cycle  of  (5.42)  which  is  therefore  not  minimal.  Thus,  we  have  also 
demonstrated  that  (5.42)  is  minimal  implies  (5.43)  is  minimal.  Q.E.D. 

Lemma  5.27  Given  cycles  (5-42)  and  (5-43)  and  a  (5-42)  is  minimal 
if  and  only  if  (5-43)  is  minimal. 

Proof:  Use  Lemma  5.26  and  induction  on  the  length  of  the  path  a 

Q.E.D. 

Theorem  5.1  A  cycle  with  periods  is  minimal  implies  all  cycles  with  period 
7T  are  minimal. 

Proof:  Let  (5.42)  be  a  minimal  cycle  of  period  7r.  Let  (5.43)  be  any  other 
cycle  of  period  7r.  Let  (p  be  the  c.c.d.  of  a  and  r.  By  Lemma  5.19,  there 
exists  cycle 

(f) ((f)  +  tt) .  (5.50) 

By  Lemma  5.27,  (5.42)  is  minimal  implies  (5.50)  is  minimal  which,  in  turn, 
implies  (5.43)  is  minimal.  Q.E.D. 

This  result  allows  us  to  make  the  following  definition: 

Definition:  The  state  offset  tt  is  a  minimal  period  of  a  state  graph,  if  there 
exists  a  minimal  cycle  with  that  period. 


5.5  Non-separable  Graphs 

Theorem  5.2  If  there  exist  minimal  cycles  with  periods  ira  and  7 17,  then 
either  ira  —  7 17  or  span(7rQ)  fl  span(7r&)  =  0. 
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Proof:  Let  the  two  cycles  be  aa  -k-+  (aa  +  7ra)  and  ab  (ab  +  7 r&).  Let  r  be 

the  c.c.d.  of  a a  and  at,.  Then,  by  Lemma  5.19, 

r -k->(r  +  TTa)  At -k->(r +  TTb).  (5.51) 

Suppose  7ra  7^  7 Tft.  Let  <fi  be  the  c.c.d.  of  (r  +  7ra)  and  (r  +  74).  Then,  by 
Lemma  5.8, 

Vfc  ::  </>[fc]  =  max{(r  +  7Ta)[fc],  (r  +  7T6)[A;]}  ,,  . 

=  r[fc]  +  max{7Ta[fc],7rh[fc]}. 

Also,  by  Lemma  5.16,  (5.51)  implies  (r  +  7ra  +  7ib)  is  a  state.  Since  the 
maximum  of  two  non-negative  numbers  is  no  greater  than  their  sum,  by 
Lemma  5.9, 

(r  +  7Tq)  (t  +  TYa  +  7T&).  (5.53) 

By  Lemma  5.16,  this  path  implies 

r  ((f)  —  7Tq)  -tr-+  (t  +  7T&).  (5.54) 

Now,  since  bool(r  +  7ra)  =  bool(r)  =  bool(r  +  7T&),  by  (5.52),  bool(^)  = 
bool(r).  Consequently,  r  -*->  (tfi  —  7ra)  is  a  sub-cycle  of  r  -*->  (r  +  7T&),  which 
contradicts  the  hypothesis  that  7 r&  is  a  minimal  period,  unless  r  =  (f>  —  7ra  or 
(j)— 7ra  =  t T7Tft.  If  ((f)— TTa)  =  r,  then  due  to  (5.52),  74  <  7ra  and,  by  Lemma  5.9, 
r  -7r->  (t  +  7t&)  -*->  (r  +  7rQ)  and  7ra  is  not  a  minimal  period.  So,  ((f)  —  7tq)  =  (r + 
7Tfc)  which  implies,  for  any  variable  index  k,  max{7ra[A;],  7p,[A;]}  =  7ra[k]  +  7rb[k]. 
This  equality  implies  7rQ[fc]  =  0  V  7q,[fc]  =  0  and  the  theorem  is  established. 

Q.E.D. 

Theorem  5.2  states  that  if  a  state  graph  has  different  minimal  periods, 
then  the  sets  of  variables  spanned  by  these  periods  are  disjoint4.  Note  that 
by  Lemma  5.16,  transitions  on  the  variables  in  each  of  these  sets  can  occur 
repeatedly.  Furthermore,  since  the  two  sets  have  no  variables  in  common, 
if  the  PR  set  ever  reached  a  state  where  both  cycles  are  possible,  then,  by 
Lemma  5.5,  the  occurrences  of  transitions  in  one  set  are  independent  of  the 
occurrences  of  transitions  in  another  set.  These  observations  mean  that  the 

4In  [37],  it  has  only  been  shown  that  the  sets  of  variables  spanned  by  the  periods  of 
cycles  starting  from  a  given  state  are  disjoint. 
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original  PR  set  contains  two  or  more  sub-components  which  operate  indepen¬ 
dently  of  each  other,  except,  perhaps,  for  some  initial  transient  interactions. 
Consequently,  we  make  the  following  definition. 

Definition:  A  state  graph  is  separable  if  it  contains  minimal  cyles  with 
different  periods.  It  is  non-separable  if  it  is  not  separable. 
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Chapter  6 

Index-Priority  Simulation 


In  this  chapter,  we  will  present  and  prove  the  correctness  of  the  index-priority 
simulation  algorithm  which  finds  all  minimal  periods  in  a  state  graph.  It 
turns  out  that  the  number  of  simulation  steps  can  be  greatly  reduced  if  it  is 
known  that  the  input  graphs  are  uniform.  Hence,  the  first  part  of  the  chapter 
will  study  these  graphs  and  present  some  criteria  for  identifying  them.  The 
correctness  of  the  actual  algorithm  is  demonstrated  in  Section  6.4. 


6.1  Uniform  Graphs 

Definition:  A  cycle 

<J  (<7  +  71")  (6-1) 

is  uniform  if  it  is  minimal  or  it  has  a  sub-cycle 

a  (a  +  7f).  (6-2) 

A  graph  is  uniform  if  all  its  cycles  are  uniform. 

Before  giving  the  motivation  for  this  definition,  the  following  useful  prop¬ 
erty  of  uniform  cycles  should  be  established. 

Lemma  6.1  If  cycle  (6.1)  is  uniform  that  there  exist  an  integer  p  >  0  such 
that  (6.1)  can  be  written  as  a  concatenation  of  p  minimal  cycles.  In  other 
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Figure  6.1:  Non-uniform  separable  graph 


words ,  there  exists  a  set  of  minimal  cycles 

{i  :  0  <  i  <  p  :  cr*  ~^ai+1}  (6.3) 

such  that  a0  =  a  and  ap  =  {a  +  7r) . 

Proof:  Use  induction  on  the  length  of  the  uniform  cycle.  Since  there  are  no 
cycles  with  length  zero,  the  base  case  holds.  Next,  assume  the  lemma  holds 
for  all  cycles  with  length  less  than  that  of  (6.1).  If  (6.1)  is  minimal,  then  set 
p  =  1,  and  we  are  done.  Otherwise,  by  the  above  definition  and  Lemma  5.24, 
a  Mr->  [a  +  if)  and  {a  +  if)  ( a  +  7r)  are  cycles.  By  the  inductive  hypothesis, 
each  of  these  cycles  can  be  written  as  a  concatenation  of  minimal  cycles; 
therefore,  (6.1)  can  also  be  so  written.  Q.E.D. 
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The  following  example  gives  the  motivation  for  the  need  of  introducing 
uniform  graphs. 

Example  6.1:  Consider  the  following  PR  set: 

-irzo  A  —1X4  V  x0  A  ~<x2  — >  Xi] 

->Xo  A  Xi  V  Xo  A  Xi  — >■  x2T 

-1X0  A  x2  V  x0  A  -1X4  — >■  x3"f 

-i^o  A  £3  V  £0  A  x3  —>■  X4] 

~^x0  A  X4  V  x0  A  x2  — >■  Xi  j. 

-ix0  A  -i^i  Vi0A  -12:1  — >■  x2  j 
-i^o  A  —<x2  VjflAi4  — >■  x3  j 
-*Xo  A  —1^3  V3;0  A  -1^3  — >■  x±l 

-ix4  V  -1X2  V  x3  Xot 
false  — >  xoj.. 

Its  state  graph  is  shown  in  Figure  6.1  where  the  vertical  edges  represent  the 
occurrence  of  (x0, 1),  the  bold  states  are  those  with  x0  false,  and  the  bold 
edges  are  the  events  effecting  changes  among  the  bold  states.  (It  may  help  to 
visualize  the  bold  states  and  events  as  being  “above”  the  rest  of  the  graph.) 

Some  of  the  guards  in  the  text  above,  such  as  the  one  for  x2  j,  have  been 
written  redundantly  to  show  that  the  PR  set  operates  in  either  of  two  modes. 
If  x0  is  false,  then  only  the  state  changes  marked  in  bold  can  occur.  Once 
Xq  becomes  true,  only  those  (non-vertical)  state  changes  not  marked  in  bold 
can  occur. 

The  graph  is  separable  with  minimal  periods  02200  and  00022.  Since 
00000  -^*-+02222  is  a  cycle  that  contains  the  sub-cycle  10000  ^*—>12200,  it  is 
not  minimal.  It  is  also  not  uniform  since  it  contains  no  sub-cycle  starting  at 
00000.  Note  that  if  x0  never  becomes  true  —  i.e.,  only  the  bold  part  of  the 
graph  is  valid  —  then  00000  ^*r->  02222  would  be  a  minimal  cycle.  □ 

As  illustrated  above,  it  is  difficult  to  decide  if  a  cycle  is  minimal  for  this 
example  since  the  PR  set  has  two  “modes  of  operation”  —  one  when  it  is  in 
the  bolds  states  and  another  when  it  is  not.  In  fact,  unless  extra  care  has 
been  taken  to  examine  all  possible  modes,  any  algorithm  could,  conceivably, 
err  in  regarding  a  non-minimal  cycle  as  minimal  because  no  sub-cycles  can 
be  found  in  the  current  mode.  As  shown  in  a  later  section,  all  non-uniform 
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(00000000 


(si,  1)  <22,  1)  (x3,  1)  (x4,  1)  <21, 2)  <22, 2)  <23,  2)  <24,  2) 


<21,  1)  <22,1)  <21,2)  <22,2) 


(00000100) - O - O - O - <02200100) 


<ze,l) 


<21,  1)  <22,1)  <21,2)  <22,2) 


(00000110) - O - O - O - <02200110) 


<^5,2) 


<21,  1)  <22,1)  <21,2)  <22,2) 


(00000210) - O - O - O - <02200210) 


<^7,1) 


<21,  1)  <22,1)  <21,2)  <22,2) 


(00000211  ) - O - O - O - <02200211  ) 


<2:6,2) 


<21,  1)  <22,1)  <21,2)  <22,2) 


(00000221  ) - O - O - O - <02200221) 


<2:5,3) 


<21,  1)  <22,1)  <21,2)  <22,2) 


(00000321  ) - O - O - O - <02200321  ) 


<2:7,2) 


<21,  1)  <22,1)  <21,2)  <22,2) 


( 00000322 ) - O - O - O - <02200322) 


:  02222000) 


Figure  6.2:  Non-uniform  separable  graph  with  no  terminating  events 


graphs  have  more  than  one  mode  of  operations;  thus,  it  is  important  to 
investigate  the  properties  of  these  graphs. 

In  Example  6.1,  the  variable  associated  with  the  “mode-switching”  event, 
Xq,  changes  value  only  once.  However,  as  the  next  example  illustrates,  even 
if  all  transitions  occur  infinitely  often,  the  graph  may  still  be  non-uniform. 

Example  6.2:  In  the  PR  set  of  Example  6.1,  remove  the  PR’s  for  x0,  replace 
each  occurrence  of  x0  in  a  guard  with  (25  V  26  V  27)  and  add  the  following 
PR’s: 


-127  A  25  — ►  2e  t 

27 

xel 

X6  — >•  25j. 

-|26 

z5T 

-'25  A  26  — ►  27 1 

25 

->  X7I 

Now,  all  transitions  (except  those  for  x0)  occur  infinitely  often.  But  there  is 
still  a  mode-switching  event  which  is  <25, 1)  as  Figure  6.2  attempts  to  illus¬ 
trate.  Imagine  the  vertical  axis  of  Figure  6.2  as  a  vertical  axis  superimposed 
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on  Figure  6.1  and  each  horizontal  line  in  Figure  6.2  as  a  path  in  the  cross- 
sectional  plane  of  Figure  6.1.  Before  (x5,l)  occurs,  the  only  possible  path 
corresponds  to  the  bold  edges  of  Figure  6.1.  Once  (x5, 1)  have  occurred,  then 
the  PR  set  switches  mode  and  cycles  with  minimal  periods  are  possible.  □ 

As  our  final  example,  we  present  a  non-uniform  non-separable  graph. 
Example  6.3:  Consider  the  following  PR  set: 


— >x  A  - ia3  A  —ic  V  x  A  — >a3  A  — ic  —*■  al| 

-<x  A  al  A  -ia3  ViAalA  -ia3  —>■  a2f 

-ix  A  a2  A  ( 61  A  — <62  V  c)  V  x  A  a2  A  (->63  V  62  V  c)  — >■  a3| 

nj  A  «3  A  c  V  1  A  a3  A  c  — >■  a2j 

-ix  A  “ia2  A  a3  A  “>63  Vi  A  ~ia2  A  a3  — >  al  j 

-<x  A  — 1  al  A  (c  A  63  V  62  A  -ic)  V 

x  A  — 1  al  A  (63  V  — < &1  V  -ic)  — ■>  a3J. 

-<x  A  —1 63  A  -ic  V  x  A  — 1 63  A  -ic  — >  61  ^ 

-1  a:  A  61  A  —>63  A  a3  V  x  A  61  A  —>63  — >  62| 

-ix  A  62  A  (a3  A^cAal  VcA  — <al)  V 

x  A  62  A  (-ia3  V  al  V  c)  — >■  63'f 
-11  A  63  A  c  V  1  A  63  A  c  — >■  62J, 

— >x  A  — 1 62  A  63  V  a:  A  — 1 62  A  63  — >  61  j. 

— >x  A  — 1 61  A  (— >a3  V  al)  Vi  A  — 1 61  A  (a3  V  — >a2  V  ~ >c)  — *  63 j. 

-ix  A  (a3  A  63  V  a2  A  62  A  -ia3)  V  x  A  a2  A  62  — >  c| 

-ix  A  — i al  A  — 1 6 1  A  — 1 63  V  x  A  — <al  A  — '61  — ■>  c[ 

true  — >  x] 

false  — >  xj. 


Figure  6.3  shows  its  state  graph  with  the  initial  state  of  all  variables  false.  To 
reduce  cluttering,  each  state  with  x  false  is  merged  with  the  state  that  has 
the  same  value  but  with  x  true  and  is  indicated  as  a  bold  circle.  The  bold 
edges  represent  all  the  events  that  are  possible  when  x  is  false.  Note  that 
there  is  only  one  transition  on  x  and  (x,  1)  serves  as  a  mode-switching  event 
whose  occurrence  causes  the  PR  set  to  behave  like  the  one  in  Example  3.2. 
All  minimal  cycles,  like  the  one  between  the  initial  state  and  the  state  marked 
with  a  cross,  have  the  same  period.  However,  prior  to  (x,  1)  occurring,  there 
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Figure  6.3:  Non-uniform  non-separable  graph 
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is  no  minimal  cycle  and  any  cycle  containing  only  bold  edges  is  non-uniform 
or  contains  a  non-uniform  sub-cycle.  □ 


6.2  Non-transitory  States 


In  each  of  the  previous  examples,  if  we  assume  the  firings  of  the  PR’s  are 
weakly  fair,  then,  eventually,  the  “mode-switching”  event  would  occur  and 
the  original  PR  set  would  exhibit  its  steady-state  behavior.  This  section 
shows  that  any  graph  contains  a  “non-transitory”  state  a  such  that  all  cy¬ 
cles  starting  from  a  state  reachable  from  a  are  uniform.  Furthermore,  in 
Chapter  7,  it  will  be  shown  that  the  behavior  of  the  PR  set  after  reaching  a 
non-transitory  state  a  can  be  modeled  as  a  set  of  repetitive  XER-systems,  one 
for  each  minimal  period.  Thus,  even  if  a  graph  is  non-uniform,  to  evaluate 
its  steady-state  performance,  it  is  sufficient  to  find  and  analyze  its  minimal 
cycles. 

Definition:  A  state  a  is  called  a  non-transitory  state  if 
Vo  :  enb(a,cr)  :  (  3fr  :  if  is  a  period  spanning  var(o)  :  a  (cr  +  if)  ).  (6.4) 

The  algorithm  in  Section  6.4  will  show  how  to  find  a  non-transitory  state. 
Below  we  have  established  some  of  its  properties. 

B 

Lemma  6.2  If  a  is  a  non-transitory  state  and  gh^t,  then  there  exists 
period  7r  such  that  r  [a  +  7r). 

Proof:  Use  induction  on  the  size  of  B.  If  \B\  =  0,  then  let  7r  be  the  zero- 
vector.  Suppose  \B\  >  0,  then  let 


a 


T. 


By  the  inductive  hypothesis,  there  exists  if  such  that  r-^(a  +  if)  and 
bool(cr  +  if)  =  bool(cr).  If  (3  occurs  in  the  path  t  -*t^(g  +  if),  then  let 
7T  be  if  and  we  are  done  by  Lemma  5.6.  If  j3  does  not  occur  in  the  path, 
then,  by  stability,  enb(/3,  a  +  if).  By  Lemma  5.16,  enb(/3  ©  if,  a),  and,  by 
the  definition  of  non-transitory  state,  there  exists  period  if  such  that 

C 

a  ^*r->  (<r  +  if)  A  (/3  0  7r)  G  C. 
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By  Lemma  5.16, 


(a  +  7 r)  (<j  +  if  +  7r)  A  /3  G  (C  ®  7r). 

Setting  7r  to  if  +  if  establishes  the  lemma.  Q.E.D. 

Corollary  6.3  If  a  is  a  non-transitory  state  and  a  -^t,  then  for  any  period 
tt,  a  (cr  +  if )  if  and  only  if  r  (r  +  7?) . 

Proof:  The  “only-if”  part  is  due  to  Lemma  5.19;  the  “if”  part  follows  from 
applying  that  lemma  to  r  +  7r),  which  is  guaranteed  by  Lemma  6.2, 

and  then  using  Lemma  5.16.  Q.E.D. 

Corollary  6.4  If  a  is  a  non-transitory  state,  then  all  cycles  starting  at  a 
are  uniform. 

Proof:  Suppose  a  +  tt)  has  sub-cycle  r  +  if).  By  Lemma  5.22, 

we  can  assume  w.l.g.  that  a  -k-*r.  Then,  by  Corollary  6.3,  a  -*r^(cr  +  if)  is 
also  a  sub- cycle.  Q.E.D. 

Corollary  6.5  A  state  a  is  a  non-transitory  state  if  and  only  if 
Vo  :  enb(o,  a)  :  (  3if  : 

if  is  a  minimum  period  spanning  var(o)  :  a  (a  +  if)  ) 

Proof:  Follows  directly  from  Corollary  6.4  and  Lemma  6.1. 

Corollary  6.6  If  a  is  a  non-transitory  state,  then  the  existence  of  a  cycle 
with  period  tt  implies  a  -k-+  (a  +  7r) . 

Proof:  Let  r  (r  +  7r)  be  the  cycle.  Let  <fi  be  the  c.c.d.  of  a  and  r.  The 
result  then  follows  from  Corollary  6.3.  Q.E.D. 

Lemma  6.7  If  a  and  a  is  a  non-transitory  state,  then,  so  is  t . 


(6.5) 

Q.E.D. 
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Proof:  By  Lemma  6.2  and  Lemma  5.19,  there  exists  a  period  7r  such  that 


B  C  ,  .  B  ©  Ti¬ 
er  T  >  ( (J  +  7T )  — > 


(r  +  7 r). 


Suppose  ( Xk,l )  is  enabled  at  r.  If  Xk  ^  span(7r),  then,  by  stability, 
enb((:rfc,  l),  a  +  tt)  which  implies  enb((j)fe,  l),  a).  By  Corollary  6.5,  there  ex¬ 
ists  a  minimal  period  ir  such  that  Xk  G  span(7r)  and  a  -k-+  (<r  +  7r).  Then,  by 
Lemma  5.19,  r  -^-»(r  +  f).  So,  r  is  a  non-transitory  state.  Q.E.D. 

Note  that  as  the  following  example  shows,  even  if  every  cycle  starting 
from  a  state  a  is  uniform,  a  may  still  not  be  a  non-transitory  state. 

Example  6.4:  Figure  6.4  shows  a  PR  set  and  its  state  graph  for  the  initial 
state  where  every  variable  is  false.  The  short  near-vertical  edges  are  for 
(x,  1)  and  states  with  x  false  and  their  connecting  edges  are  shown  in  bold. 
All  cycles  starting  at  the  initial  state  are  uniform.  However,  the  initial  state 
is  not  a  non-transitory  state  because  there  is  no  cycle  containing  (a:,  1). 

Note  that  for  any  i  >  0,  event  (c,  2 i  +  1)  is  caused  by  either  ( b ,  2 i  +  1)  or 
(d,2i)  and  (x,  1).  Since  there  is  no  periodic  index  (i.e.,  i )  in  (x,  1),  the  PR 
set  cannot  be  modeled  as  a  repetitive  XER-system.  However,  if  we  assume 
that  the  PR  set,  due  to  fairness,  has  entered  a  non-transitory  state  where 
x  has  gone  up,  then  x  has  no  further  bearing  on  the  performance  of  the 
system.  Consequently,  we  can  ignore  (x,  1)  and  regard  ( b ,  2 i  +  1)  and  ( d ,  2 i) 
as  possible  causes  of  (c,  2i  +  1).  The  details  of  these  arguments  will  become 
clearer  in  Chapter  7;  for  now,  it  is  sufficient  to  realize  that  a  non-transitory 
state  serves  a  more  important  purpose  than  the  implication  of  uniform  cycles. 
□ 


6.3  Detecting  Non-Uniform  Graphs 

The  algorithm  presented  in  the  next  section  guarantees  to  return  minimal 
periods  only  if  the  graph  is  uniform.  If  the  graph  is  not  uniform,  then  the 
algorithm  has  to  be  re-run  starting  at  the  non-transitory  state  determined 
by  the  algorithm.  Thus,  for  correctness,  it  is  not  necessary  to  determine  if  a 
graph  is  uniform  and  this  section  can  be  skipped  with  little  loss  of  continuity. 
However,  by  recognizing  a  uniform  graph,  one  can  cut  in  half  the  simulation 
steps  needed  to  find  its  minimal  periods  and,  thus,  it  maybe  worthwhile  to 


105 


-id  — *  a] 

ndAcVfl  —>■  b] 

-id  A  x  V  b  — ■>  cj 

a  A  b  A  c  — >  d] 

d  — >  aj 

d  A  -ia  — * ►  6 1 

d  A  -ib  — >  cj 

-ic  — >  dj 

true  — >  x] 

false  — > 


Figure  6.4:  Is 


5? 

T 

s? 

r 

s? 

T 

5? 

r 

5? 

T 

s? 

r 

T 

5? 

r 

-1Z9  — >  ziT 

-iZg  ->  Xit 

x0  ->  Xit 

x0  V  x1  ->  x2] 

x0  A  Xi  — »  x2] 

Xg  V  Xi  ~ >  X2] 

x0  A  xi  — »■  xi] 

a 

b 

c 

d 

Figure  6.5:  Examples  of  triggers  for  an  event 

ascertain  whether  this  is  the  case.  As  can  be  seen  from  the  previous  examples, 
non-uniform  graphs  are  fairly  hard  to  construct  and  the  following  results  give 
some  easy-to-check  sufficient  conditions  (Corollaries  6.16  to  6.18)  for  a  graph 
to  be  uniform.  To  facilitate  the  discussion,  we  make  the  following  definitions. 

6.3.1  Disjunctively  Enabled  Events 

Definition:  An  event  a  is  a  trigger  for  another  event  7  at  state  a  if 
a  r  A  -ienb(7,  a)  A  enb(7,  r). 

Definition:  An  event  7  is  disjunctively  enabled  if  there  exists  a  state  a  such 
that  there  are  two  distinct  triggers  of  7  at  a.  Each  of  these  triggers  is  called 
a  disjunctive  trigger  of  7. 

Example  6.5:  Figure  6.5  gives  some  examples  of  how  the  triggers  of  the 
event  {X2, 1)  can  behave.  In  each  example,  only  the  relevant  PR’s  and  state 
values  are  given  (xg  is  just  some  arbitrary  variable)  and  all  states  at  which 
(x2, 1)  is  enabled  is  marked  in  bold.  In  Figure  6.5a,  both  (xu.  1)  and  (xi,  1) 
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can  occur  in  the  initial  state  and  they  are  both  triggers  for  (a;2, 1).  The  same 
observation  holds  in  Figure  6.5b.  Moreover,  due  to  the  disjunction  in  the 
guard  for  x2t,  (^o,  1)  and  {xi,  1)  are  also  disjunctive  triggers  of  (x2, 1)  at 
state  000.  Note  that  the  number  of  states  at  which  (x2, 1)  is  enabled  is  larger 
for  the  second  case.  In  Figure  6.5c,  only  (x0, 1)  can  occur  in  the  initial  state 
and  so  {x\,  1)  is  the  only  trigger  of  (x2, 1).  In  Figure  6.5d,  (x0, 1)  is  the  only 
trigger  of  {x2, 1)  and  there  need  not  be  any  disjunctive  trigger  in  spite  of  the 
disjunction  in  the  guard  for  tran((a;2, 1)). 

All  four  scenarios  occur  in  practice.  The  first  two  are  typical  behavior 
for  conjunctive  and  disjunctive  guards.  The  third  arises  from  strengthening 
a  guard  to  prevent  its  misfiring  at  some  undesirable  state  (i.e.,  state  where 
-ixo  A  X\  is  true).  Finally,  the  last  example  can  be  due  to  data- dependency 
or  the  effect  of  symmetrization  caused  by  weakening  the  original  guard  x0 
with  Xi.  □ 

As  one  may  suspect  from  these  examples,  there  is  a  correlation  between 
the  trigger  of  an  event  and  its  guard. 

Lemma  6.8  If  a  is  a  trigger  of  7  and  the  guard  of  tran(7)  is  B0  V  Bi  V 
. . .  V  Bm,  then  there  exists  at  least  one  disjunct  Bi  such  that  Bi  contains  the 
literal  lit  (a). 

Proof:  By  definition,  there  exist  a  and  r  such  that  a  r  with  -ienb(7,  a) 
and  enb(7,  t).  Now,  enb(7,  r)  implies  there  exists  an  i  such  that  Bi  is  true 
at  state  r.  But,  -ienb(7,  a)  implies  Bi  is  false  at  a.  By  the  definition  of 
— >  ,  the  only  difference  between  a  and  r  is  that  lit  (a)  is  false  at  a  and  is 
true  at  r.  Thus,  Bi  contains  lit  (a).  Q.E.D. 

Lemma  6.9  If  a  and  j3  are  disjunctive  triggers  of  7  at  some  state  a,  and 
the  guard  of  tran(7)  is  B0  V  B\  V  . . .  Bm,  then,  there  exist  i  and  j,  such  that 
Bi  contains  lit  (a)  but  not  lit  (/?)  and  Bj  contains  lit  (/?)  but  not  lit  (a). 

Proof:  By  definition,  there  exist  ra  and  77  such  that  a  ra,  a  17, 
-ienb(7,  <t),  enb(7, 17),  and  enb(7, 17).  By  the  proof  of  Lemma  6.8,  there 
exists  i  such  that  Bi  contains  lit  (a),  B{  is  false  at  a,  and  Bt  is  true  at  77. 
If  Bi  contains  lit(/3),  then  B{  can  be  written  as  lit  (a)  A  lit  (/?)  A  C  for  some 
Boolean  expression  C  not  containing  lit  (a)  or  lit  (/?).  Now,  by  definition  of 
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a  Tft,  the  value  of  lit (/?)  is  false  at  a.  So,  the  value  of  lit  (/?)  remains  false 
at  ra  which  contradicts  the  fact  that  B,  is  true  at  ra.  Symmetric  arguments 
for  Bj  establish  the  lemma.  Q.E.D. 

The  following  two  results  concerning  disjunctively  enabled  events  will  be 
needed  in  Sub-section  6.3.3. 

Lemma  6.10  Given  n,m  >  0,  and  states  and  events  such  that 

a0  Oi  i  ol„- i 

00,0  >  01,0  »  •••  >  crn, 0, 

A)  (3  1  (dm—  1 

00,0 - *•  00,1  - *  •••  - *  00, mi 

and  {i  :  0  <  i  <  n  :  Oj}  fl  { j  :  0  <  j  <  m  :  /3j}  =  0,  for  any  7,  if 

-ienb(7,  crn_i,0)  A  enb(7,  anfi)  A  -.enb(7,  cr0,m_  1)  A  enb(7,  a0,m),  (6.6) 

then  there  exists  j  and  r  such  that  0  <  j  <  m,  cr0,o  and  on_i  and  (3j 

are  disjunctive  triggers  of  7  at  t. 

Proof:  Applying  Lemma  5.5  to  the  two  paths  above  yields  the  existence  of 
{i,j  :  1  <  i  <  n  A  1  <  j  <  m  :  at,3}  such  that  (5.8)  holds.  By  stability, 
enb(y,  al.j)  if  i  =  n  or  j  =  m.  Since  -ienb(7,  crn-i,o)  and  enb(7,  <j„_i jTn),  let  j 
be  the  largest  index  such  that  -ienb(7,  Setting  r  to  cn-i,j  establishes 

the  lemma.  Q.E.D. 


(3  B 

Lemma  6.11  Let  p  be  the  c.c.a.  of  oa  and  <Jb  with  p — >  (j)-k-+ab  and 

p- ^  o a-  Then,  for  any  7,  7  €  {A  fl  B)  A  enb(7,  (j>)  implies  there  exists 
an  event  a  £  A  and  a  state  t  such  that  p  -k-+cra,  and  (3  and  a  are 
disjunctive  triggers  of  7  at  t  . 


Proof:  By  Lemma  5.10,  [3  (f  A  and  7  e  A  PI  B  implies  -ienb(7,  p).  But 
7  G  A;  so,  let  a  be  the  first  intermediate  state  in  the  path  p  >cra  such  that 
enb(7,  a)  and  let 


/  \  a0  Oil  2  ®n— 1  / 

(p  =  To)  — >Ti  — ►  •  •  •  — ►  rn_  1  — ►  (t„  =  a). 


Then,  it  can  be  verihed  that  f3  and  on-i  are  disjunctive  triggers  of  7  at  r„_i. 

Q.E.D. 
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6.3.2  Terminating  Events 

Definition:  Event  (xk,l)  is  a  terminating  event  if 

3(7  ::  enb((:rfc,  Z) ,  cr)  A  Vr  ::  -ienb ((xk,  l  +  1),  r). 

A  variable  Xk  has  a  terminating  event  if  there  exists  l  such  that  (xk,l)  is  a 
terminating  event. 

Lemma  6.12  Suppose  there  exists  a  cycle  with  period  7r.  If  var(<5)  G 
span(7r),  then  there  exists  a  minimal  period  if  such  that  var(<5)  G  span  (if). 

Proof:  Use  induction  on  the  length  of  the  cycle.  There  is  no  period  with 
zero  length.  For  any  cycle  with  non-zero  length,  if  it  is  minimal  then  set  if  to 
7 r.  Else,  by  Lemma  5.24,  there  exist  two  sub-cycles  with  periods  if  and  7r  — if. 
If  var(<5)  G  span(7r)  then  var(<5)  G  span(if)  or  var(<5)  G  span(7r  —  if).  So, 
applying  the  inductive  hypothesis  on  one  of  these  sub-cycles  establishes  the 
lemma.  Q.E.D. 

Lemma  6.13  If  there  exist  event  (xk,l)  and  state  a  such  that  enh((xk,l),  cr) 
and  Xk  has  no  terminating  event,  then  then  there  exists  a  minimal  period 
span(if)  such  that  Xk  G  span(if). 

Proof:  Pick  q  large  enough  so  that  q  —  04^ [fc]  >  2K,  where  K  is  the 
number  of  variables.  Since  Xk  has  no  terminating  event,  there  exists  r  such 
that  enb ((xk,q),r).  W.l.g.,  assume  r  is  a  state  with  the  minimum  weight 
such  that  enb((xk,  q),r)  is  satisfied.  Now,  since  the  range  of  the  bool() 
function  has  at  most  2K  elements,  by  the  Pigeonhole  Principle,  there  exist 
intermediate  states  <p  and  ((p  +  7 r)  in  the  path  from  (7jnjt  to  r  such  that 
(j)  (</>  +  7r)  is  a  cycle.  By  Lemma  5.16,  enb  ((xk,  q)  Q  n,T  —  ir).  So,  by  the 

choice  of  r,  7r [fc]  7^  0.  The  existence  of  if  then  follows  from  Lemma  6.12. 

Q.E.D. 

6.3.3  Criteria  for  Uniform  Graphs 

Definition:  The  event  b  is  called  a  mode-switching  event  if  there  exists  a 
non-uniform  cycle  a  (a  +  7r)  that  has  a  uniform  sub-cycle  a  ( a  +  if) 

and  cr  a. 
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Lemma  6.14  If  a  state  graph  is  non-uniform,  then  there  exists  a  mode¬ 
switching  event. 


Proof:  Of  all  the  non-uniform  cycles,  let 

(7 -*^>(<7  +  7r)  (6.7) 

be  one  with  the  minimal  length.  By  definition,  it  is  not  minimal;  of  all  of  its 
normal  sub-cycles,  let 

<7  -^4  (d  +  if )  (6.8) 

V 

be  the  one  such  that  a  xr  has  the  shortest  length.  Since  A  C  A,  (6.8)  is 
uniform  since  its  length  is  less  than  that  of  (6.7).  Now,  V  is  not  empty  or 
else  (6.7)  is  uniform;  so,  let 


a 


a. 


(6.9) 


By  Lemma  5.19  and  Theorem  5.1,  r^*r->(r  +  7r)  exists  and  is  not  minimal. 
If  it  is  uniform,  then  it  has  a  sub-cycle  f  -*->  (r  +  7?)  which  would  then  be 
a  normal  sub-cycle  of  (6.7)  and  thereby  contradict  the  definition  of  (6.8). 
Thus,  r -k- >  (r  +  7r)  is  non-uniform  and  has  (6.8)  as  a  sub-cycle.  Therefore,  6 
is  a  mode-switching  event.  Q.E.D. 


A  A 

Lemma  6.15  Suppose  a  ^*r->  (cr  +  7 r)  is  a  cycle  and  a  ( a  +  if)  is  a  path 

such  that  a  — >  a ,  6  ^  A,  and  A  C  A.  Let  p  be  the  c.c.a.  of  (a  +  7r)  and 
(d  +  if ) .  Then,  there  exist  <p  and  C  C  A  such  that 

p  (j)  (d  +  f),  (6.10) 

and,  for  any  7  G  C  such  that  enb(7,  <f), 

3/3,  t:  /3  G  A/\a +  ir)  :  16  111 

6  and  (3  are  disjunctive  triggers  of  7  at  r.  1  ' 

Furthermore,  either  6  is  a  terminating  event  or,  for  all  7  G  C  such  that 
enb(7,  <f),  if  the  guard  of  tran(7)  is  B0  V  Bi  V  ...  V  Bm,  then  there  are  at 
least  two  Bi ’s  that  do  not  contain  the  literal  lit (<5)  and  at  least  one  Bi  that 
contains  the  literal  lit (<5)  but  is  not  a  stable  disjunct. 


Ill 


Proof:  Since  cr  is  a  common  ancestor  of  (a  +  7 r)  and  (a  +  if)  and  8  ^  A,  by 
Corollary  5.13,  6  occurs  in  p-k-*{d  +  if)  and  so,  by  stability,  (6.10)  holds. 
Moreover,  every  event  7  in  C  occurs  in  o  (<7  +  if);  so,  C  C  A  Let 

7  be  any  event  such  that  enb(7,  (p)  A  (7  G  C  C  A).  Then,  by  Lemma  6.11, 
(6.11)  is  valid. 

For  the  second  half  of  the  lemma,  let  (3  and  r  be  the  witnesses  to  (6.11). 
Write  the  cycle  a  (cr  +  7r)  as 


a  0  «i 

no  — >  — > 


OLr—\ 


a. 


O  t 


t  &r+l 

— >  ar+i  > 


1 


(J  n 


(6.12) 


with  oy  =  t  and  ay  =  (3.  Since  <5  is  a  disjunctive  trigger  of  7  at  there 

& 

exists  oy  such  that  oy  — >  oy  and  enb(7,  oy). 

Next,  suppose  6  is  not  a  terminating  event.  Let  6  =  (27,/)  and  6  = 
(xk,  l  +  1).  Then,  there  exists  f  such  that  enb(<5,f).  Let  f  be  the  c.c.d.  of  oy 
and  f;  then,  enb(<5,  r).  By  Lemma  5.19,  oy  >(oy  +  tt).  So,  by  Lemma  5.21, 
there  exist  q  >  0  and  a  state  <ft  such  that 


O r 


{<t>  +  q*), 


and  span(P)  n  span(7r)  =  0.  Since  <5  ^  A,  7r[fc]  =  0  and  so,  by  stability  and 
Lemma  5.16,  enb(<5,  r)  =>■  enb(<5,  <p  +  qir)  =>  enb (8,(p).  Letting  (pa  =  <p 
implies  there  exists  (pb  such  that 


Or 


Or 


V\{6} 


<Pa  - ►  <Pb  ■ 


(6.13) 


Since  enb(7,  oy),  let  B0  be  a  disjunct  that  is  true  in  state  oy-  By 
-ienb(7,  <jr),  B0  contains  lit (<5).  Note,  however,  that  the  value  of  lit (<5)  is 
false  at  (pb  and  therefore  B0  is  not  a  stable  disjunct.  Also,  by  Lemma  6.9, 
let  B\  be  the  disjunct  that  contains  the  literal  lit  (ay)  but  not  lit(<5).  The 
value  of  lit(ay)  is  false  in  oy  since  enb(ay,  oy);  therefore,  it  remains  false 
at  state  (pb  since  ay  does  not  occur  in  (6.13).  Also,  at  state  (pb,  the  value  of 
lit (5)  is  false.  Thus,  the  value  of  any  disjunct  containing  the  literal  lit(<5)  or 
lit  (ay)  is  false.  So,  stability  requires  that  there  exists  yet  another  disjunct, 
f?2,  that  contains  neither  literals.  Q.E.D. 


Theorem  6.1  If  a  graph  is  not  uniform,  then  there  exists  a  mode-switching 
event  8  such  that  8  is  a  disjunctive  trigger  for  two  events  a  and  (3  with 
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var(a)  ^  var (j3).  Furthermore,  either  6  is  a  terminating  event  or,  if  the 
guard  for  tran(a)  or  tran(/5)  is  B0  V  B\  V  . . .  V  Bm,  then  there  are  at  least 
two  Bi ’s  that  do  not  contain  lit (<5)  and  at  least  one  Bi  that  contains  lit (<5) 
but  is  not  a  stable  disjunct. 

Proof:  By  Lemma  6.14,  there  exists  a  mode-switching  event  S.  So,  let 

(7 (<7  +  7r)  (6.14) 

be  a  non-uniform  cycle  with  uniform  sub-cycle  a  -*->  (cr  +  if)  and  a  — >  a.  By 
Lemma  5.24,  there  also  exists  cycle  (a  +  if)  +  7r).  Since  the  lengths  of 

these  last  two  cycles  are  less  than  (6.14),  they  are  uniform  and,  by  Lemma  6.1, 
can  be  written  a  concatenation  of  minimal  cycles.  Thus,  there  exist  an  integer 
p  >  1  and  a  set  of  minimal  cycles 

{i  :  0  <  i  <  p  :  %  -^fj+i} 

such  that  ?0  =  a  and  fm  =  (a  +  n).  For  alH,  0  <  i  <  p,  let  77  =  ri+i  —  % 
and  observe  that,  by  Lemma  5.2,  77  <  tt. 

Next,  let  i  be  an  arbitrary  integer  with  0  <  i  <  p.  Since  bool(fj)  = 
bool(d),  by  Lemma  5.16,  a  +  X;).  By  Lemma  5.20,  this  is  a  sub-cycle 

of  (6.14).  Let  A  be  the  set  of  events  occurring  in  that  sub-cycle  and  so 
A  C  A.  Let  p  be  the  c.c.a.  of  (o  tt )  and  (o  T  7r^)  and  let  7r  —  7r^.  Then, 
applying  Lemma  6.15  yields  the  existence  of  (j>  and  C  C  A  such  that  (6.10) 
is  satisfied  and,  for  any  7  e  C  such  that  enb(7,  (j>),  (6.11)  holds. 

& 

If  C  is  empty,  then  by  (6.10)  and  a — >  a,  (a  +  7Tj)  —  p  =  a  —  a.  So, 
p  =  a  +  7Tj  and  a  p  is  a  sub-cycle  of  (6.14),  contradicting  the  fact  that  it 
is  non-uniform.  Thus,  there  exists  7  G  C  such  that  <5  is  a  disjunctive  trigger 
for  7  by  (6.11).  Moreover,  C  C  A  implies  var(y)  is  in  span(7Tj). 

Now,  if  there  exist  i  and  j  such  that  77  ^  ttj,  then  6  is  a  disjunctive  trigger 
for  two  events  whose  variables  are  in  the  spanning  sets  of  different  minimal 
periods.  By  Theorem  5.2,  these  variables  are  different  and  the  first  part  of 
the  theorem  is  established  in  this  case. 

Alternatively,  if  for  all  i  and  j,  77  =  77,  then  7r  =  p7r0 .  Let  7f  =  7r0  and  let 
A  be  the  set  of  events  occurring  in  a  (a  +  tt).  If  p  is  the  c.c.a.  of  (a  +  7 r) 
and  (d  +  7r),  then,  by  Lemma  6.15,  there  exist  <fi,  and  C  C  A  such  that  (6.10) 
is  satisfied  and  for  all  7  G  C  with  enb(7,  (p),  (6.11)  holds. 
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Now,  a 


— *  a,  (7  -~k — > p,  and  (6.10)  imply 

A  C  _ 

a  -tr^(p  -k-+  (<7  +  IT). 

So,  by  Lemma  5.17  and  Lemma  5.16, 

C  ©  (p  —  1  )f 

a (a  +  (p  -  l)it) ((/>  +  (p  -  l)n)  (a+pn).  (6.15) 

& 

Since  (cr  +  7 r)  — >  (a  +  pi f),  the  set  of  events  occurring  in  (6.15)  is  exactly 
A-  So,  if  p  is  the  c.c.a.  of  ( a  +  ir)  and  (</>  +  {p  —  l)ff),  then,  by  Lemma  6.15, 
there  exist  (f)  and  C  C  A  such  that 


p-^-Kf>£->(<j>  +  (p-  1)tt) 

and  for  all  7  £  C  such  that  enb(y,  <p). 

3/3,  r  :  (/3  €  A)  A  (cr  -^th^{o  +  7r))  : 

8  and  f3  are  disjunctive  triggers  of  7  at  r. 


(6.16) 


(6.17) 


Now,  if  C  is  empty,  then  by  (6.16)  and  (6.10),  (<f>  +  (p—  1)77)  —  p  =  <f>  —  p 
and,  therefore,  p  =  p  +  {p  —  1)%.  This  equality  and  p-k-+{a  +  ir)  implies 


a 


>P  ^*r->((7  +  7T  —  (p  —  l)7f) 


is  a  sub-cycle  of  (6.14),  contradicting  the  fact  that  it  is  non-uniform.  There¬ 
fore,  C  is  not  empty  and  contains  7  such  that  <5  is  a  disjunctive  trigger  of 
7- 

Now,  C  is  not  empty  implies  p  ^  {a  +  ir)  and  there  exists  (3  such  that 
enb(/3,  p)  and  /3  occurs  in  p-^{a  +  ir).  By  Lemma  5.10,  /3  ^  C;  so,  by  sta¬ 
bility,  enb(/3,  (j)  +  {p  —  l)7f).  Also,  since  the  set  of  events  occurring  in  (6.15) 
is  A,  /3  G  (C  ©  {p  —  1)77) .  Consequently,  there  exists  7  =  (/3  ©  {p  —  l)fr)  such 
that  7  €  C  and  enb(7 ,<f>).  Thus,  by  (6.11),  8  is  a  disjunctive  trigger  of  7. 
Now,  if  var(/3)  =  var(7),  then  f3  =  7  since  they  are  both  enabled  at  (j).  How¬ 
ever,  enb(/3,  p)  but  -ienb(7,p)  due  to  7  €  C  C  A  and  Lemma  5.10.  Thus,  a 
contradiction  can  be  avoided  only  if  var(7),  which  is  the  same  as  var(/3),  is 
different  from  var(7).  Therefore,  the  first  part  of  the  theorem  is  established. 

The  second  part  of  the  Theorem  follows  directly  from  the  second  part  of 
Lemma  6.15.  Q.E.D. 
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Corollary  6.16  A  state  graph  that  has  no  disjunctively  enabled  events  is 
uniform. 

Proof:  Obvious  from  Theorem  6.1.  Q.E.D. 

Corollary  6.17  A  state  graph  where  all  variables  have  no  terminating  events 
and  all  PR’s  have  stable  disjuncts  is  uniform. 

Proof:  Obvious  from  Theorem  6.1.  Q.E.D. 

Corollary  6.18  All  mode-switching  events  in  a  non-separable  state  graph 
are  terminating. 

Proof:  Suppose  the  graph  is  not  uniform.  Then,  let  cr,  7 r,  A,  a,  if,  and  6 
be  defined  as  in  Theorem  6.1.  By  the  remarks  following  the  definition  of 
a  minimal  cycle,  (6.14)  contains  a  sub-cycle  with  minimal  period  7ra.  Since 
8  A,  var(<5)  ^  span(7r)  which  implies  var(<5)  ^  span(7?a). 

Next,  suppose  var(<5)  has  no  terminating  event.  Then,  by  Lemma  6.13, 
there  exists  a  minimal  period  §&  such  that  var(<5)  G  span(7fh).  Thus,  the 
graph  contains  at  least  two  minimal  cycles  with  different  periods  and  is  there¬ 
fore  separable.  Q.E.D. 

Theorem  6.1  and  its  corollaries  give  some  of  the  conditions  that  would 
guarantee  a  uniform  graph.  As  can  be  seen,  a  non-uniform  graph  can  only 
result  from  the  presence  of  a  mode-switching  event  that  is  a  disjunctive  trig¬ 
ger  for  two  transitions  with  distinct  variables.  By  Lemma  6.9,  this  condition 
can  be  checked  syntactically.  Most  of  the  practical  PR  sets  are  non-separable 
and  most  (if  not  all)  of  their  disjuncts  are  stable.  Furthermore,  the  user  is 
usually  aware  of  which  variables  have  terminating  events  and  can  then  check 
specifically  whether  it  is  a  potential  mode-switching  event.  Lastly,  the  addi¬ 
tional  conditions  that  a  non-terminating  mode-switching  event  has  to  satisfy 
are  quite  restrictive,  making  it  uncommon  and  fairly  easy  to  spot. 


6.4  Index-Priority  Simulation 

The  algorithm  for  index-priority  simulation  is  given  in  Section  A.l.  Algo¬ 
rithm  1,  with  its  associated  procedure  find-cycle(),  takes  a  PR  set  with  a 
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stable  state  graph  and  returns  a  non-transitory  state  S[n]  and  a  list  of  p 
cycles,  in  array  C[  ],  that  satisfies  the  conditions  described  below.  In  the 
remainder  of  this  chapter,  for  any  i,  0  <  i  <  p,  let  C[i]  =  a j  +  7r*) . 

Then,  the  following  two  conditions  hold  for  the  list  of  cycles  returned  by  the 
algorithm: 

p-i 

Vff  :  7T  is  a  period  :  span  (f)  C  1J  span(7Tj),  (6.18) 

i=0 


and 


\/i,  j  :  0  <  *  <  j  <  p  :  (3k  ::  Xk  ^  span(7Tj)  A  Xk  G  span(7Tj)).  (6.19) 


In  addition,  if  the  associated  graph  is  uniform,  then  all  of  the  periods  are 
minimal  and  different  from  each  other. 

Below  is  an  illustration  of  how  the  algorithm  works.  The  proof  of  its 
correctness  will  follow. 

Example  6.6:  Below  is  a  simplified  version  of  the  PR  set  for  the  zero-checker 
zeroB  described  in  Sub-section  2.5.5  —  the  intermediate  variables  a  and  b 
have  been  removed: 


(aTi  V  aFi)  A  (ftT*  V  bFi) 

-  <?T 

9  A  ( aT{  V  bTi) 

-  cTot 

^  A  (aFj  A  bFi) 

-  cFJ 

(“ i aTi  A  - 1 aFi)  A  (—ibTi  A  ~^bFi) 

-»•  £-1 

^9 

-  cT0i 

^9 

->  cE4. 

Suppose  we  want  to  analyze  its  performance  with  respect  to  the  following 
environment: 


*LaTi T;  [ cTa  V  cFJ;  aT4;  [~|cT0  A  -icEJ; 
aFi]\  [ cTa  V  c.F0];  aF4;  L^cTa  A  -ic.F0]] 

||  *[&T4;  [cT0  V  cFJ  ;  6T4;  [~|cT0  A  ^cF0]; 

6F4;  [cT0  V  cE0] ;  FF4;  [-icT0  A  -mF0]] . 

First,  the  handshaking  expansions  above  need  to  be  converted  into  PR  sets. 
Since  we  are  not  interested  in  the  precise  implementation  of  the  environ¬ 
ment,  this  conversion  need  not  be  performed  optimally.  In  fact,  by  using  a 
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“program  counter,”  there  exists  a  syntactic  translator  from  arbitrary  hand¬ 
shaking  expansions  to  PR  sets.  In  this  example,  the  state  variables  dO  and 
dl  are  introduced  in  the  first  handshaking  expansion  which  is  then  compiled 
into 


— idl  A  — i dO 

-> 

aTi] 

— 'dl  A  ( cT0  V  cF0 ) 

->•  dOT 

dO  A  — i dl 

->• 

aTii 

dO  A  — icT0  A  -icF0 

->  dlt 

dl  A  dO 

->• 

aFi T 

dl  A  (cT0  V  cFa ) 

->  d0| 

dl  A  — i dO 

aFii 

- 1 dO  A  — 'cT0  A  - 1 cF0 

->  dlj. 

Similarly,  the  second  handshaking  expansion  is  implemented  in  a  symmetric 
fashion  using  state  variables  eO  and  el. 

So,  let  V  be  the  union  of  the  PR  set  for  the  zero-checker  and  those  for 
its  environment;  its  state  graph  is  shown  in  Figure  6.6.  Next,  suppose  the 
variables  are  indexed  in  reverse-alphabetical  order,  i.e,  x0  =  g,  x\  =  el,  . . . , 
xio  =  aFt.  Then,  at  every  state  when  there  are  more  than  one  events  enabled, 
the  event  correspond  to  the  alphabetically  first  variable  will  be  selected  in 
fmd-cycleQ.  Hence,  when  first  called  from  Algorithm  1,  find-cycle()  traces 
out  the  path  shown  in  bold  in  Figure  6.6.  Since  the  two  states  marked  with 
crosses  are  the  first  pair  to  have  the  same  Boolean  value,  the  following  cycle, 
with  period  42222222222,  will  be  returned: 

(bTt,  1)  (g,  1)  (cT0, 1)  (dO, 1)  (aTu  2) 

(To  »  <T  i  - »  (72  - »  (73  ►  (74  - » 

<eO,l)  (bTi,  2)  (g,  2)  (cT0, 2)  <dl,l) 

(75  - >  (76  - *  (77  - >  (7g  - >  (7g  - > 

{aFi,  1)  (el,  1)  {bFi,  1)  (g,  3)  (cFa,  1)  (0  20) 

(7 10  *  O-n  - *  O"  12  - >  (7 13  - »  (7i4  - >  '  '  ' 

(d0,2)  (aFi,  2)  (e0,2)  (6^,2)  (^,4) 

(7 15  - »  (7i6  »  O"  17  - »  (7is  - »  (Tig  - > 

(cFOJ2)  <dl,  2)  (aTi,3)  (el,  2) 

(720  - *  0"21  - ^  (722  - ^  ^23  - >  (724- 

Since  all  variables  have  events  appearing  in  the  cycle,  V  will  become  the  set 
of  all  variables  when  find-cycleQ  returns  for  the  first  time.  Hence,  the  second 
call  of  find-cyclcQ  results  in  empty -cycle  being  returned  and  the  algorithm 
terminates  with  (6.20)  as  the  only  cycle  found  and  a0  =  00000000010  as  a 
non-transitory  state. 

Now,  since  cTo  and  cFo  are  mutually  exclusive  due  to  dual-rail  encoding, 
the  disjuncts  in  the  guards  for  dOj,  dOj,  eO'f,  and  eOJ,  are  stable.  Also,  if 
either  of  the  disjuncts  in  the  guard  of  cTg'l  is  true,  then  it  remains  true  until 
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Figure  6.6:  Cumulative  state  graph  for  a  zero-checker  cell 
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cT0|  fires  because  of  the  handshake  protocol  in  the  environment.  Finally, 
none  of  the  literals  in  the  guard  of  g]  can  change  from  true  to  false  without 
g'l  occurring  first;  therefore,  the  disjuncts  of  g]  are  stable.  Note  that  it  is 
possible  to  conclude  that  the  disjuncts  of  a  guard  are  stable  without  writing 
it  in  DNF. 

Since  all  disjuncts  are  stable  and  there  is  no  terminating  event  (each 
variable  appears  in  a  cycle),  the  state  graph  is  uniform.  Therefore,  (6.20)  is 
a  minimal  cycle  and  7r  =  42222222222  is  the  only  minimal  period.  □ 

We  will  first  establish  the  correctness  of  Algorithm  1  for  the  general  case 
where  the  state  graph  may  not  be  uniform.  The  function  next_state(s,  a) 
assumes  the  event  a  is  enabled  at  state  s  and  returns  a  new  state  a  such  that 

s  a.  (6-21) 

Also,  empty-cycle  is  a  special  return  value  which  signifies  that  no  cycle  has 
been  found. 

Lemma  6.19  The  following  two  predicates  are  loop  invariants  of  the  repeat- 
loop  in  Algorithm  1: 


s[0]ms[l]A-ai...A^1ls[n], 


and 


(6.22) 

(6.23) 


Vi,  j  :  0  <  i,  j  <  n  :  bool(S[i])  =  bool(S[j])  =>  i  =  j. 

Proof:  First,  consider  the  procedure  £nd-cycle().  By  its  topology, 

E  =  {a  :  enb(o,  S[n])  A  var(o)  ^  V  :  a}  (6.24) 

is  an  invariant  of  the  while-loop.  Next,  suppose  that  (6.22)  and  (6.23)  hold 
when  Rnd-cycleif)  is  called.  Then,  by  (6.24),  enb(A[n],  S[n]).  So,  by  (6.21), 


s[o]^3  s[i]^!H 


At1]  Sfnl^B 


(6.25) 


holds  just  before  the  if-statement.  If  the  condition  in  the  if-statement  is 
false,  then  Vi  :  0  <  i  <  n  :  bool(S[i])  /  bool(s).  This  predicate,  (6.25),  and 
the  assignments  to  n  and  S[n]  imply  (6.23)  and  (6.22)  are  invariants  of  the 
while-loop. 
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Alternatively,  if  the  condition  in  the  if-statement  is  true,  then  the  pro¬ 
cedure  returns  after  setting  n  to  a  value  that  is  less  than  its  value  before  the 
if-statement.  This  assignment  cannot  invalidate  (6.22)  and  (6.23).  So,  in  ei¬ 
ther  case,  if  (6.22)  and  (6.23)  hold  when  find-cycle()  is  called,  then  they  hold 
when  the  procedure  returns.  This  conclusion  establishes  the  lemma  since 
(6.22)  and  (6.23)  hold  when  the  repeat-loop  of  Algorithm  1  is  first  entered. 

Q.E.D. 


Lemma  6.20  If  fincLcyclcQ  does  not  return  empty-cycle,  then  it  returns  a 
cycle  whose  period  has  a  spanning  set  containing  a  variable  not  in  V. 


Proof:  If  fz nd-cycle()  does  not  return  anij>ty_cyclc.  then  it  returns 


S[i]  — S[i  +  1] 


A[i  +  1] 


(6.26) 


By  (6.25)  and  bool(S[i])  =  bool(s),  (6.26)  is  a  cycle.  Finally,  by  construc¬ 
tion,  var(A[m])  ^  V;  thus,  the  lemma  is  established.  Q.E.D. 


Lemma  6.21  The  following  two  predicates  and  (6.19)  are  invariants  of  the 
repeat -loop  in  Algorithm  1: 


p-i 

V  =  IJ  span(7Tj),  (6.27) 

i= 0 

and 

Vi  :  0  <  i  <  p  :  S[n]  -*->(S[n]  +  7 r*).  (6.28) 

Proof:  From  the  assignments  to  U  and  V,  (6.27)  is  a  loop  invariant.  Next, 
consider  the  situation  immediately  after  the  the  assignment  to  C[p] .  By 
Lemma  6.20,  the  spanning  set  of  7Tp  contains  a  variable  Xk  not  in  V;  so,  by 
(6.27),  Xk  is  not  in  the  spanning  set  of  any  7 t,  with  0  <  i  <  p.  Thus,  (6.19) 
is  established  after  the  increment  of  p. 

Finally,  assume  that  (6.28)  holds  at  the  beginning  of  the  repeat-loop  and 
let  n  be  the  value  of  n  at  that  point  so  that 

Vi  :  0  <  i  <  p  :  S[n]  ^*r->(S[n]  +7^).  (6.29) 
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Consider  the  situation  after  find-cycle()  returns.  If  c  is  emptymycle,  then 
S[n]  ^*r->S[n],  By  Lemma  5.19,  (6.29)  =>■  (6.28).  Alternatively,  if  c  is  not 
empty -cycle,  then  there  exists  period  if  such  that  c  is 

S[n]  ^*r^(S[n]  +  if).  (6.30) 

If  n  >  n,  then,  as  before,  S[n]  -^>S[n]  and  (6.28)  holds.  Else,  we  have 

S[n]  -*-+S[n]  -*->(S[n]  +  if). 

Again,  (6.28)  holds  by  applying  Lemma  5.19  to  the  second  half  of  the  path 
above  and  then  applying  Lemma  5.16.  Finally,  (6.30)  and  (6.29)  establish 
(6.28)  as  a  loop  invariant  after  the  assignment  to  C[p]  and  the  increment  of 
p.  Q.E.D. 

Lemma  6.22  Algorithm  1  returns  with  S[n]  as  a  non-transitory  state  and  C 
as  a  list  of  cycles  such  that  (6.18)  and  (6.19)  are  satisfied. 

Proof:  For  now,  suppose  the  algorithm  terminates  and  consider  the  situation 
afterward.  Then,  by  Lemma  6.21,  (6.19),  (6.27),  and  (6.28)  hold.  Further¬ 
more,  since  £nd-cycle( )  returns  empty-cycle,  E  is  empty.  Thus,  enb(a,  S [n] ) 
implies  var(a)  G  V.  So,  by  (6.27)  and  (6.28),  S[n]  is  a  non-transitory  state. 

Next,  let  7 r  =  ZllLo1  Then,  by  (6.28)  and  Lemma  5.16,  S[n]  ^*r->(S[n]  + 
7T ) .  For  any  period  if,  Corollary  6.6  implies  S[n]  (S[n]  +  if).  So,  by 
Lemma  5.21,  there  exist  q,  V,  and  <f>  such  that 

S[n]  £+{</>  ~  qn)  ^(S[n]  +  if )  -*-*<!>,  (6.31) 

and  span(D)  n  span(7r)  =  0.  Suppose,  toward  a  contradiction,  that  there 
exists  a  variable  index  k  such  that  Xk  G  (span(if)  \span(7r)).  Then,  V  is  not 
empty  since  otherwise  if  <  qir.  Consequently,  there  exists  an  event  6  such 
that  enb(<5,  S[n])  and  6  span(7r).  By  (6.27),  6  is  in  E  and  the  algorithm 
would  not  have  terminated.  This  contradiction  can  be  avoided  only  if  (6.18) 
holds. 

Since  there  are  at  most  2K  different  values  for  bool(),  (6.23)  implies 
fmd-cycleQ  terminates.  Also,  since  the  size  of  V  increases  with  each  iteration 
through  the  repeat-loop  and  is  bounded  above  by  K,  Algorithm  1  terminates 
and  the  lemma  is  established.  Q.E.D. 
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6.4.1  Uniform  Graphs 

To  show  that  only  minimal  periods  are  found  by  the  algorithm  if  the  graph 
is  uniform,  several  preliminary  results  are  needed. 

Lemma  6.23  Let  d  -k-*o  (<7  +  7r)  be  a  cycle  in  a  uniform  graph.  If  there 

exists  an  event  a  occurring  in  the  cycle  such  that  enb(o,  a)  and 

V/3  :  enb(/3,  a)  A  var(/3)  £  span(7r)  :  j3  =  a,  (6.32) 

then  there  exist  p  >  0  and  minimal  period  tv  such  that  7r  =  pir . 

Proof:  By  Lemma  5.19,  cr^*r->(cr  +  7 r).  Since  the  graph  is  uniform,  by 
Lemma  6.1,  there  exist  p  >  0  and  a  set  of  minimal  cycles 

{i  :  0  <  i  <  p  :  cq  >(cq  +  7 q)}  (6.33) 

such  that  (T0  =  a,  cq+i  =  ( <r*  +  7q),  and  ap  =  [a  +  7r).  For  any  z,  by 
Lemma  5.16  and  bool(<r)  =  bool(cq),  (6.32)  still  holds  if  a  is  replaced  by  cq 
and  a  is  replaced  by  ( a  ©  (cq  —  a)).  Consequently,  (a  ©  (cq  —  a))  occurs  in 
cq  >(cq  +  7 Tj)  and  so  var(o)  £  span(7q).  By  Theorem  5.2,  all  of  the  7q’s 
are  the  same  and  7 r,  being  their  sum,  is  p7r0.  Q.E.D. 

Lemma  6.24  In  a  uniform  graph,  if  there  exist  p  >  1,  minimal  period  tv, 
and  a  cycle 

d -k-UJb-k-^<7c-k-^(d  +  pH)  (6.34) 

with  event  a  and  intermediate  states  a b  and  ac  such  that  enb(o,  ab), 
enb(o  ©  7 f,  crc), 

V/3  :  enb(/3,  at)  A  var(d)  £  span(if)  :  ft  =  a,  (6.35) 

and 

Vy  :  enb(y,  oc )  A  var(y)  £  span(if)  :  7  =  (a  ©  if),  (6.36) 

then  bool(cq,)  =  bool(crc). 

Proof:  By  Lemma  6.1  and  Lemma  5.16,  we  have  a  (a  +  if)  (at  +  if). 

(See  Figure  6.7.)  Let  p  be  the  c.c.a.  of  ac  and  (cq,  +  if)  with 

$  c 

p  ac  A  p  (cq,  +  tv)  . 
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Figure  6.7:  Proof  of  Lemma  6.24 


Note  that  by  Lemma  5.11,  Now,  if  B  is  not  empty  then  there 

exists  (3  such  that  (3  G  B  and  enb (/?,  p).  By  Lemma  5.10,  (3  C  and 
therefore  enb(/3,  cq,  +  if)  which  implies  enb(/3  ©  if,  cr6) .  Since  (3  occurs  in 
a  p  -^ac,  var(/3)  G  span(if)  and,  by  (6.35),  (/3  0  if)  =  a  which  means 
[3  =  [a,  ®  if).  This  equality  and  f3  G  B  contradict  enb(a  ®  if,  ac );  thus,  B  is 
empty.  Similarly,  C  is  empty  due  to  (6.36).  Therefore,  ac  =  (cq,  +  if)  and  the 
lemma  is  proved.  Q.E.D. 


Theorem  6.2  For  a  uniform  graph,  Algorithm  1  returns  only  minimal  cycles 
and  the  periods  of  these  cycles  are  all  distinct  and  are  the  only  minimal 
periods  in  the  graph. 


Proof:  By  Lemma  6.22,  it  remains  to  show  that  find-cycle( )  returns  only 
minimal  cycles  since  then,  by  (6.19)  and  Theorem  5.2,  the  periods  will  be 
different  from  each  other.  Toward  that  end,  let 


S[i]^!s[i  +  l] 


A[i  +  1] 


(6.37) 


be  a  cycle  returned  by  find-cycle()  and  let  s  =  S[i]  +7r.  Let  A  =  {i  :  i  <  i  < 
m  :  A [7] } .  Let  k  be  the  smallest  index  such  that  G  span(7r).  Let  A  be  one 
more  than  the  Ac-th  component  of  S [i] .  Then,  by  Lemma  5.2,  a  =  (xK,X)  is 
in  A.  Notice  that  by  the  choice  of  k  in  find-cycle( )  A[a]  =  a  only  if  no  other 
event  (3,  enabled  at  S[a],  satisfies  var {(3)  G  span(7r).  Thus,  by  Lemma  6.23, 
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there  exists  a  minimal  period  if  and  an  integer  p  >  0  such  that  ir  =  pi f.  If 
p  >  1,  then  (a  ©  if)  <E  *4  by  Lemma  5.2.  Again,  A [6]  =  (a  ©  if)  only  if  no 
other  event  7  enabled  at  S[6]  satisfies  var(7)  e  span(7r).  So,  by  Lemma  6.24, 
bool(S[a])  =  bool(S[6])  which  violates  the  fact  that  (6.23)  is  a  loop-invariant 
of  find-cycle().  Thus,  (6.37)  is  a  minimal  cycle  and  the  theorem  is  proved 

Q.E.D. 


6.4.2  Non-Uniform  Graphs 

First,  note  that  the  definition  of  state  graphs  allow  for  arbitrary  initial  state, 
i.e.,  T(fP,a)  is  defined  to  be  the  state  graph  consisting  of  all  states  in  E('P) 
that  are  reachable  from  a  under  the  state  change  relationship  specified  by  V. 
Then,  by  Lemma  6.4  and  Lemma  6.7,  T(T,,cr)  is  a  uniform  graph  whenever 
a  is  a  non-transitory  state.  Therefore,  if  it  has  not  been  determined  that  the 
state  graph  corresponding  to  the  input  PR  set  is  uniform,  then  re-running 
Algorithm  1  starting  at  state  S[n]  will  return  all  minimal  periods  in  the 
graph.  As  an  extra  computation-saving  technique,  if  the  input  PR  set  is 
non-separable  and  there  exists  a  cycle  with  period  i r  such  that  the  greatest 
common  divisor  of  the  elements  in  {k  :  0  <  k  <  K  :  7r[fc]}  is  2,  then  7r  is  the 
unique  minimal  period  by  the  following  lemma. 

Lemma  6.25  In  a  non-separable  graph  with  minimal  period  ff,  if  it  is  a 
non-minimal  period,  there  exists  p  >  1  such  that  7r  =  pit . 

Proof:  By  Algorithm  1,  there  exists  a  non-transitory  state  a.  The  rest 
follows  from  Lemma  6.6,  Lemma  6.4,  and  Lemma  6.1.  Q.E.D. 

Note  that  the  converse  is  not  true.  In  Example  6.3,  if  x  is  set  to  be 
identically  false,  then,  as  indicated  by  the  bold  cycle  in  Figure  6.3,  there  are 
four  transitions  associated  with  every  variable  in  the  minimal  period. 

6.4.3  Implementation  Issues 

There  are  two  observations  that  greatly  simplify  the  implementation  of  Al¬ 
gorithm  1.  First,  though  in  the  theoretical  analysis,  states  are  considered  as 
vectors  of  integers,  in  the  algorithm,  only  the  Boolean  values  of  these  states 
are  needed  for  comparisons.  Hence,  it  is  only  necessary  to  represent  states 


124 


as  Boolean  vectors  linked  together  by  pointers.  Similarly,  an  event  can  be 
identified  by  its  transition  without  its  occurrence  number. 

The  second  simplification  arises  from  stability:  once  an  event  is  enabled 
it  remains  enabled  until  the  corresponding  PR  fires.  Therefore,  the  current 
value  of  E  can  be  updated  incrementally.  Every  time  a  transition  t  occurs,  add 
to  E  all  transitions  whose  PR’s  become  enabled  because  of  the  occurrence  of 
t.  When  new  variables  are  added  to  V,  remove  the  transitions  corresponding 
to  these  variables  from  E. 

6.4.4  Complexity 

In  each  simulation  step,  the  enabled  PR  whose  transition  has  the  highest 
index  is  fired,  the  corresponding  new  state  is  computed  and  checked  to  see 
whether  it  has  been  encountered  before,  and,  if  it  has  not,  all  PR’s  that  are 
enabled  in  the  new  state  are  determined.  This  step  has  similar  complexity 
as  one  for  any  other  selective  simulation  algorithm  that  attempts  to  find 
cycles  by  tracing  out  a  single  path.  In  particular,  the  amount  of  operations 
performed  per  step  depends  mainly  on  the  number  of  states  encountered  so 
far,  the  number  of  guards  affected  by  the  firing,  and  the  computation  required 
to  determine  which  of  these  guards  change  from  false  to  true. 

As  for  the  number  of  simulation  steps  required  by  Algorithm  1,  it  is  the 
sum  of  the  lengths  of  the  cycles  found  plus  the  steps  needed  to  to  reach  a 
non-transitory  state.  If  the  graph  is  uniform  and  the  initial  state  is  a  non- 
transitory  state,  then  this  number  is  optimal  in  the  sense  that  any  other 
algorithm  needs  this  many  steps  just  to  trace  out  the  minimal  cycles.  There¬ 
fore,  as  the  following  chapter  demonstrates,  Algorithm  1  provides  a  very 
simple  and  efficient  means  to  determine  the  information  that  enables  one  to 
represent  a  PR  set  as  a  repetitive  XER-system. 
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Chapter  7 

Modeling  PR  Sets  as 
XER-Systems 


This  chapter  addresses  the  problem  of  generating  an  XER-system  for  a  PR 
set  once  its  minimal  periods  have  been  determined.  First,  as  the  following 
section  shows,  PR  sets  with  separable  graphs  can  be  partitioned  into  inde¬ 
pendent  components,  each  represented  by  its  own  XER-system.  Then,  the 
correspondence  between  the  causality  relationships  of  a  PR  set  and  those  of 
an  XER-system  will  be  discussed.  Finally,  an  algorithm  for  converting  the 
former  to  the  latter  will  be  presented  —  it  turns  out  that  this  conversion  is 
much  simpler  if  the  PR  set  has  only  stable  disjuncts. 


7.1  Separable  Graphs 

In  this  section,  we  will  show  that  if  a  state  graph  has  more  than  one  minimal 
period,  then,  after  a  non-transitory  state  has  been  reached,  the  correspond¬ 
ing  PR  set  can  be  partitioned  into  independent  components,  one  for  each 
minimal  period  and  each  with  its  own  set  of  variables.  We  need  the  following 
intermediate  result. 


Lemma  7.1  Let  a be  a  non-transitory  state.  Let  if  be  a  minimal  cycle. 
Then  for  any  state  r  reachable  from  ani,  there  exist  <j>,  q  >  0,  and  period  i r 
such  that 


°nt 


5_ 


(</>  +  qn), 


(7.1) 
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and 


span(7r)  n  span(7r)  =  0  A  span(*4)  C  span(7r).  (7.2) 

Proof:  Let  the  minimal  periods  of  the  graph  be  if0,  ifi,  . . and  if/.  W.l.g., 
let  if  =  if0.  By  Lemma  6.6  and  Lemma  6.7, 

ant  (^nt  +  7ri)  (ant  +  7ri  +  7r2)  (^nt  +  7r) 

where  7r  is  defined  as  ifi+if2  +  -  •  •  +vfj.  By  Theorem  5.2,  span(7r)nspan(if)  = 
0.  Also,  by  Lemma  5.21,  (7.1)  exists  with  span(*4)  fl  span(7r)  =  0. 

Now,  if  a  occurs  in  arp  ^*r->r,  then  it  occurs  in  a  cycle  starting  from  arp 
by  Lemma  6.2;  so,  it  occurs  in  a  minimal  cycle  by  Lemma  6.12.  Hence, 
var(o)  G  (span(7r)  U  span  (if)).  So,  span(A)  fl  span(7r)  =  0  implies  the  last 
conjunct  in  (7.2).  Q.E.D. 

The  following  lemma  shows  how  variables  that  are  not  in  the  spanning 
set  of  a  minimal  period,  can  be  removed  from  the  guard  of  a  transition  whose 
variable  is  in  the  spanning  set. 

Lemma  7.2  Let  crn^  be  a  non-transitory  state.  Let  if  be  a  minimal  period. 
Let  a  be  an  event  such  that  var(ct)  G  span  (if).  Let  the  guard  of  tran(o)  be 


G  —  Bq  V  B\  V  ...  V  Bm. 


For  any  j  such  that  0  <  j  <  m,  let  Bj  =  C3  A  Cj  where 


lit  (/?)  G  Cj  =$>  var (/3)  G  span(7r)  A 

lit  (/?)  G  Cj  var(yS)  ^  span(if). 


(7.3) 


Let 


H  = 


G  with  Bj  replaced  by  Cj  if  Cj  is  true  in 
G  with  Bj  removed  if  Cj  is  false  in  . 


(7.4) 


Then,  in  any  state  r  reachable  from  crp-,  the  value  of  G  is  true  if  and  only 
if  the  value  of  H  is  true. 


Proof:  Let  r  be  any  state  reachable  from  crn^.  By  Lemma  7.1,  (7.1)  exists 
and  (7.2)  holds.  Since  span(.A)  C  span  (if),  (7.3)  implies 

Cj  is  true  in  an^  <£>  Cj  is  true  in  (j).  (7.5) 
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Next,  assume  that  we  are  incrementally  changing  G  to  H  by  dealing  with 
each  disjunct  in  sequence.  Consider  the  following  two  cases: 

Case  1:  (Cj  is  true  in  <7n^)  Clearly,  G  =>-  H.  Suppose  H  is  true  in  r. 
If  there  exists  j'  /  j  such  that  By  is  true  in  r,  then  G  is  true  in  r  and 
we  are  done  for  this  case.  So,  suppose  for  all  j'  ^  j,  By  is  false  in  r  and 
Cj  is  true  in  r.  Cj  remains  true  in  ( <fi  +  qn)  of  (7.2)  due  to  span(if)  fl 
span(7r)  =  0.  Consequently,  Cj  is  true  in  (f>.  Also,  by  (7.5),  Cj  is  true  in  cj). 
Therefore,  Bj  is  true  in  <ft  and  G,  the  guard  for  tran(o:)  is  true  in  (f>.  By 
stability,  G  is  true  in  r  since  a  is  not  in  B.  These  observations  establish  the 
lemma  for  this  case. 

Case  2:  (Cj  is  false  in  cqq)  By  (7.4),  H  =>•  G.  Suppose  G  is  true  in  r. 
By  stability  and  a  ^  B,  G  is  true  in  (<f>  +  qi r).  So,  G  is  true  in  (j).  Now, 
Cj  is  false  in  crn^  implies  Cj  is  false  in  </>;  hence,  Bj  is  false  in  (j).  So,  G 
is  true  in  (j)  due  to  some  disjunct  By,  j'  ^  j,  being  true  in  (f>.  Let 
By  =  Cy  A  C'y  with  Cy  containing  only  literals  whose  variables  are  in 
span(7f)  and  C'y  containing  only  literals  whose  variables  are  not.  By  (7.5), 
By  is  true  in  <fi  implies  C'y  is  true  in  cqq.  So,  by  Case  1,  C'y  can  be  re¬ 
moved.  Consequently,  we  can  assume  that  By  contains  only  literals  whose 
variables  are  in  span  (if).  But  then  Bj'  is  true  in  <fi  implies  By  is  true  in  r 
due  to  span(7f)  fispan(7r)  =  0.  Consequently,  H  is  true  in  r  and  the  lemma 
is  established.  Q.E.D. 


Example  7.1:  Consider  again  the  PR  set  of  Example  6.1.  A  non-transitory 
state  in  its  state  graph  is  cqq  =  10000.  In  all  states  reachable  from  cqq,  the 
behavior  of  the  PR  set  is  identical  to  the  one  below  (See  Figure  6.1): 


-1Z2  -»•  ZlT 
Xi  ->  X2] 
->•  Zli 
-»■  X2I 


-^X4  — >•  x3t 
x3  — >•  z4T 
Xa  —> 

~^x3  —>  Xa[. 


Note  that  once  a  non-transitory  state  has  been  reached,  there  is  no  further 
interaction  between  the  variables  in  the  spanning  set  of  the  minimal  period 
02200  and  those  in  the  spanning  set  of  the  minimal  period  00022.  □ 

As  illustrated  by  the  previous  example,  Lemma  7.2  implies  that  each 
minimal  period  if  induces  a  PR  set  V  consisting  only  of  variables  in  the 
spanning  set  of  if.  Moreover,  as  far  as  those  firings  that  involve  variables  in 
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span  (if)  are  concerned,  the  behavior  of  V  is  identical  to  the  behavior  of  the 
original  PR  set  V  once  a  non-transitory  state  has  been  reached. 

By  Theorem  5.2,  the  PR  sets  induced  by  two  different  minimal  periods 
do  not  share  any  variables;  hence,  each  can  be  analyze  independently.  So, 
for  the  rest  of  this  chapter,  all  PR  sets  are  assumed  to  be  non-separable,  each 
containing  only  variables  in  the  spanning  set  of  its  unique  minimal  period, 
which  will  be  denoted  ir.  Moreover,  unless  stated  otherwise,  only  states  reach¬ 
able  from  some  fixed  non-transitory  state  a are  considered. 

7.2  Delay  Insensitivity  and  Cause  Sets 

There  are  several  technical  issues  concerning  the  definition  of  a  “set  of  causes” 
(or  cause  set)  for  an  event  in  a  PR  set.  For  convenience,  we  will  say  that  an 
event  (xk,  l )  has  occurred  in  a  state  a  if  and  only  if  a[k\  >  l.  Also,  a  set  of 
events,  A,  has  occurred  in  a  if  and  only  if  every  event  in  A  has  occurred  in 
a. 

Intuitively,  one  criterion  for  A  to  be  a  cause  set  for  a  is  that  whenever 
all  the  events  in  A  have  occurred  and  a  has  not  occurred,  then  a  is  enabled 
to  occur.  Conversely,  each  occurrence  of  a  should  be  because  one  of  its 
cause  sets  has  occurred.  However,  these  criteria  are  not  sufficient  to  model 
delay-insensitivity  as  the  following  example  illustrates. 

Example  7.2:  Consider  the  PR  set  and  its  associated  state  graph  shown  in 
Figure  7.1.  First,  note  that  there  is  no  redundancy  in  the  guard  of  x3]  — 
x0  is  needed  to  avoid  interference  in  state  21210,  and  x2  is  needed  so  that 
(x3,3)  can  fire  in  state  21321.  Note  also  that  at  every  state  where  (zi,l) 
has  occurred,  (x3, 1)  is  enabled  or  has  already  occurred.  Conversely,  (x3, 1) 
occurs  only  after  (x1: 1)  has  occurred.  Thus,  {(aq,  1)}  may  appear  to  be  a 
good  candidate  as  the  only  cause  set  of  (x3, 1). 

This  analysis,  however,  is  inadequate  in  that  it  ignores  the  delays  between 
events.  Recall  that  in  the  CMOS  implementation  of  PR  sets,  if  lit(a)  is  a 
literal  in  the  guard  of  tran(/3),  and  j3  occurs  due  to  an  occurrence  of  a, 
then  there  is  a  delay  associated  with  the  two  events  which  we  can  denote  as 
A (a,/3).  For  instance,  the  event  ( x3 , 1)  is  enabled  in  state  11000  due  to  the 
disjunct  x0  A  x\  being  true.  Under  the  XER-system  model,  t((x 3, 1 )) ,  the 
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-1Z3  A  -nXi  — >  ZoT 

X0  —>  Xit 

Xi  A  xi  V  x0  A  X\  — >  ^2  T 

x0  A  Xi  V  x2  —  X'3 1 

%2  A  x3  —  x0| 

-1X4  A  -i^o  — >■  2:2 1 

-i^o  A  -iz2  — »■  x3  j 

Xi  A  -irc3  A  -i^o  — >■  X4| 

I4A13  — >  24  j 

— * -  x^l 


(00000) 


(xo,  1) 


(IOC 

(Zl,l) 


m 

(X2,  1) 

<2 


00) 

(x3,  1) 

o§) — <noI(D 


111 

.1C 

!> 

211 

.1C 

!> 

2121C 

i) 

2122C 

) 

215 

>21 
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21321 
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21331 
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22331 

i) 

22332 
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221 

132 

0 

221 

142 

n 

Figure  7.1:  Example  7.2 
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time  at  which  ( x3 , 1)  occurs,  satisfies 


t({x  3, 1))  >  t({x  o,  1))  +  A  ((mo,  1),  (2:3, 1))  A  ,  s 

t«m3, 1))  >«(<*!,  l^  +  ACKl),^,!)).  1  j 

Similarly,  the  PR  for  x{\  implies 

*((2:1, 1))  >  t((x 0, 1))  +  A((m0, 1),  (mi,  1)). 

Therefore,  even  though  (ml5 1)  having  occurred  in  a  state  implies  (m0, 1)  has 
also  occurred,  without  further  timing  assumption,  it  is  possible  that 

A((m0, 1),  (mi,  1))  +  A((mi,  1),  (m3, 1))  <  A((m0, 1),  (m3, 1)). 

Hence,  using  {(mi,  1)}  as  a  cause  set  for  (m3, 1)  would  ignore  the  possibility 
that  it  may  be  the  timing  constraint  corresponding  to  (m0, 1)  that  determines 
when  (m3, 1)  can  occur. 

Next,  suppose,  because  of  the  previous  arguments,  {(m0, 1),  (mi,  1)}  is  cho¬ 
sen  as  the  only  cause  set  of  (m3, 1).  Certainly,  (m3, 1)  occurs  or  has  occurred 
if  and  only  if  that  set  has  occurred.  Once  again,  however,  this  choice  is  inad¬ 
equate.  In  state  11100,  both  disjuncts  in  the  guard  for  m3{  are  true.  Since 
X2  is  in  the  guard  of  m3{,  (m3, 1)  can  occur  after  a  sufficient  delay  has  elapsed 
since  the  occurrence  of  (m2, 1).  Hence,  f((m3, 1))  needs  to  satisfy  either  (7.6) 
or 

f((m3, 1))  >  t((m2, 1))  +  A((m2, 1),  (m3, 1)).  (7.7) 

So,  once  again,  without  further  timing  assumption,  it  is  possible  that 
A((m0, 1),  (m3, 1))  and  A((mi,  1),  (m3, 1))  are  sufficiently  large  so  that  (m3, 1) 
occurs  due  to  satisfying  the  timing  constraint  (7.7).  Thus,  when  the  delays 
between  events  can  be  arbitrary,  the  “complete  set  of  cause  sets”  for  (m3, 1) 
in  this  example  is  {{(m0, 1),  (mi,  1)},  {(m2, 1)}}-  □ 

As  the  previous  example  demonstrates,  for  arbitrary  delays,  it  is  necessary 
to  consider  the  guard  of  tran(ct)  to  determine  the  set  of  cause  sets  for  a. 
In  particular,  whenever  there  is  a  state  where  a  disjunct  of  the  guard  is 
true,  then  a  cause  set  containing  the  most  recent  events  involving  all  of  the 
variables  in  the  disjunct  needs  to  be  included.  This  necessity  arises  from 
the  fact  that  any  one  such  event  may  be  the  event  that  determines  when  a 
can  occur  if  the  delay  between  them  is  large  enough.  Similarly,  to  have  a 
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complete  set  of  cause  sets,  a  cause  set  associated  with  every  disjunct  that  is 
true  in  some  state  where  a  is  enabled  needs  to  be  included  since,  under  an 
appropriate  set  of  delays,  a  may  occur  due  to  the  timing  constraint  specified 
by  that  particular  disjunct. 

To  formalize  these  notions,  we  have  the  definitions  below.  The  first  is 
to  identify  the  most  recent  events  that  are  responsible  for  the  literals  of  a 
Boolean  function  being  true  in  a  particular  state.  The  next  two  are  the 
definitions  of  causes.  Note  that  (7.9)  and  the  first  condition  in  (7.11)  are  the 
intuitive  criteria  mentioned  in  the  beginning  of  the  section,  whereas  (7.10) 
and  the  second  condition  in  (7.11)  are  due  to  modeling  arbitrary  delays  as 
discussed  in  the  previous  paragraph. 

Definition:  If  B  is  a  Boolean  expression,  then  the  set  of  witnesses  of  B  in 
a  is 

wit(B,  a)  =  {xk,  l  :  lit((:rfc,  l ))  is  a  literal  in  B  A  a[k\  =  l  :  ( Xk ,  0}-  (7-8) 


Definition:  A  set  of  events  A  is  a  cause  set  for  an  event  a  if 

Vr  :  A  has  occurred  in  r  and  a  has  not  occurred  in  r  :  enb(«,  r),  (7.9) 

and 

3cr,  B  :  B  is  a  disjunct  in  the  guard  of  a  :  ,  . 

B  is  true  in  cr  A  wit  (B,  a)  C  A.  ' 


Definition:  The  set  of  L  sets  of  events,  {Ao,Ai, . . . ,  Al-i},  is  a  complete 
set  of  cause  sets  (CSCS)  for  a  if  each  At  is  a  cause  set  of  a,  and,  for  any 
state  a  such  that  enb(«.  a)  and  for  any  disjunct  B:)  in  the  guard  of  a  such 
that  Bj  is  true  in  a,  there  exists  At  such  that 

Ai  has  occurred  in  cr  A  wit  (Bj,  a)  C  Ai.  (7-11) 

Definition:  A  cause  set  A  for  a  is  minimal  if  no  proper  subset  of  A  is  a 
cause  set  of  a.  A  CSCS  <5  for  a  is  minimal  if  each  member  of  S  is  a  minimal 
cause  set  for  a  and  no  proper  subset  of  S  is  a  CSCS  for  a. 

In  the  next  three  sub-sections,  we  will  describe  how  to  determine  the 
CSCS  of  any  event.  Section  7.3  gives  some  general  results.  Section  7.4  deals 
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only  with  PR’s  with  stable  disjuncts,  whereas  Section  7.5  includes  those  with 
unstable  disjuncts. 


7.3  Last-Enabled  States 

Definition:  A  last-enabled  state  of  an  event  a  is  a  state  a  such  that  a  is 
the  only  event  enabled  at  a. 

Lemma  7.3  Let  a  be  any  last-enabled  state  for  a.  If  r  is  a  state  such  that 
a  has  not  occurred,  then  r-k-^a. 

Proof:  Let  <p  be  the  c.c.d.  for  r  and  a.  Since  a  has  not  occurred  in  r  and  a, 
a  has  not  occurred  in  <fi  by  Lemma  5.8.  Consequently,  a  =  <fi  since  a-k-xf) 
and  the  only  event  enabled  at  a  is  a  which  has  not  occurred  in  (p.  Hence, 
r-k-^a.  Q.E.D. 

Corollary  7.4  For  any  event  a,  there  is  at  most  one  last-enabled  state  for 
a.  This  state  will  be  denoted  last  (a)  if  it  exists. 

Proof:  Follows  from  the  previous  lemma  and  the  fact  that  a  has  not  occurred 
in  any  last-enabled  state  of  a.  Q.E.D. 

Lemma  7.5  Let  B  be  a  disjunct  in  the  guard  for  tran(ct).  For  any  a  such 
that  enb(a,(j)  and  B  is  true  in  a,  if  wit(R,  cr)  =  wit  (B,  last  (a)),  then 
wit(R,cr)  is  a  minimal  cause  set  of  a. 

Proof:  Let  r  be  any  state  such  that  wit(R,  a)  has  occurred  and  a  has 
not  occurred.  By  Lemma  7.3,  r  ^*r^last(o).  So,  for  any  event  (xk,l)  in 
wit(R,cr),  l  =  a[k\  <  r[k]  <  last(ct)[fc]  =  l.  Hence,  each  literal  in  B  has  the 
same  value  in  a  as  in  r.  Therefore,  enb(o,  r),  which  validates  (7.9).  Also, 
the  hypothesis  implies  (7.10)  directly.  So,  wit(R,  a)  is  a  cause  set  of  a. 

Now,  if  wit(R,(j)  is  not  minimal  then  there  exists  another  cause  set  A ' 
such  that  A!  C  wit(_B,<j).  But  then,  by  definition,  there  exist  a'  and  a 
disjunct  B'  in  the  guard  of  a  such  that 

wit(R,,(7/)  C  A!  C  wit(R,(r). 

So,  every  literal  in  B'  is  in  B  violating  the  fact  that  the  guard  of  tran(o)  is 
in  DNF.  Q.E.D. 
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7.4  Stable  Disjuncts 

Lemma  7.6  Let  B  be  a  stable  disjunct  of  the  PR  for  tran(o).  If  B  is 
true  in  a,  a-k-xj),  enb(a,  a),  and  enb(o;,  (j>),  then  B  is  true  inf)  and 
wit (77,  a)  =  wit (77,  ff). 

Proof:  Let  ( Xk ,  l)  be  an  event  in  wit(77,  a).  If  ( Xk ,  l  +  1)  occurs  in  the  path 
a  -kxf),  then  B  becomes  false  in  an  intermediate  state  along  that  path  before 
the  occurrence  of  a.  Consequently,  B  is  not  a  stable  disjunct.  So,  to  avoid 
a  contradiction,  for  every  ( Xk,l )  in  wit (77,  <r),  f>[k]  =  a[k]  and  the  lemma 
follows.  Q.E.D. 


Corollary  7.7  If  B  is  a  stable  disjunct  of  the  PR  for  tran(o),  enb(o,(j), 
and  B  is  true  in  a,  then  wit(77,  a)  is  a  minimal  cause  set  of  a. 

Proof:  Follows  directly  from  Lemma  7.5  and  the  previous  lemma  where  <p 
is  replaced  by  last  (a).  Q.E.D. 

Note  that  the  condition  of  stable  disjunct  is  necessary  as  Example  7.6  in 
Section  7.5  demonstrates.  That  example  also  illustrates  an  unstable  disjunct 
that  satisfies  the  hypothesis  of  Lemma  7.5. 


Lemma  7.8  Let  the  guard  for  tran(o)  be  B0  V  B\  V  . . .  V  Bm.  If  all  the  Bi ’s 
are  mutex  and  each  Bi  is  stable,  then  enb(o,  a)  A  Bj  is  true  in  a  implies 
{wit(fb,,  a)}  is  a  minimal  CSCS  for  a. 


Proof:  By  Corollary  7.7,  wit (77,,  a)  is  a  minimal  cause  set.  Let  r  be  a  state 

B  C 

such  that  enb(o;,  r).  Let  cr^  -k — xr  and  crn^  -k->r.  Then  by  Lemma  5.7,  there 
exists  (f)  such  that 


C\B 

(a  -*-> 


<f>)  A  (r 


B\C 


4>). 


Since  a  ^  (B  U  C),  enb(o,  f>). 

Now,  enb(o,  r)  implies  there  exists  i  such  that  77,  is  true  in  r.  If 
i  ^  j,  then,  by  the  fact  that  both  Bi  and  77,  are  stable  disjuncts, 
Bi  A  Bj  is  true  in  <p  which  contradicts  the  hypothesis.  So,  i  =  j.  Again,  by 
the  fact  that  Bj  is  a  stable  disjunct,  wit(77,-,  r)  =  wit(77,-,  f>)  =  wit(77,-,  a). 
Hence,  wit(77,-,  a)  has  occurred  in  r. 
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To  establish  the  second  condition  in  (7.11),  note  that  if  Bi  is  true  in  r, 
then  by  the  arguments  above,  Bi  =  Bj  and  so  {wit(.Bj,  <j)}  is  a  CSCS.  The 
fact  that  it  is  minimal  follows  from  the  fact  that  its  only  element  is  a  minimal 
cause  set.  Q.E.D. 

Corollary  7.9  If  the  guard  for  tran(a)  is  a  conjunction  B  and  enb(o!,  cr), 
then  a  minimal  CSCS  for  a  is  (wit(.B,  <r)}. 

Proof:  The  claim  follows  directly  from  the  lemma  above  and  the  fact  that 
B  is  a  stable  disjunct.  Q.E.D. 

Lemma  7.10  Let  B0  V  B1  V  . . .  V  Bm  be  the  guard  for  tran(o).  If  all  of  the 
Bi ’s  are  stable  disjuncts,  then 

Ll(a)  =  {Bi  :  Bt  is  true  in  last(o)  :  wit(Bj,  last(o))}  (7-12) 

is  a  minimal  CSCS  for  a. 

Proof:  By  Lemma  7.7,  each  wit  (Bi,  last(o))  in  fl(o)  is  a  minimal  cause  set. 
Let  r  be  a  state  such  that  enb(o,r).  Then,  by  Lemma  7.3,  r  ^*r^last(o;). 
Now,  enb(o,r)  implies  there  exists  Bi  such  that  Bi  is  true  in  r.  By  stabil¬ 
ity  on  Bi,  Bi  is  true  in  last(o)  and  wit (Bj,r)  =  wit(Bj,  last(o)).  Hence, 
wit  (Bi,  last(o;))  has  occurred  in  r. 

To  establish  the  second  condition  in  (7.11),  suppose  B'  is  true  in  a'  and 
enb(o,  a')  for  some  disjunct  B'  in  the  guard  of  a.  By  the  arguments 
above,  a'  last  («).  Hence,  by  Lemma  7.6,  B'  is  true  in  last  (a)  and 

wit  (B',<j')  =  wit(fT,  last  (a))  G  f2(a;);  so,  f2(a)  is  a  CSCS.  Furthermore, 
all  its  members  are  minimal  cause  sets.  Also,  if  wit(_Bj,  last  (a))  is  removed 
from  the  set,  then  there  does  not  remain  an  element  At  in  set  such  that 

At  has  occurred  in  last  (a)  A  wit  (Bj,  last  (a))  C  Ai 

because  the  guard  of  a  is  in  DNF.  Hence,  f2(a)  is  a  minimal  CSCS  for  a. 

Q.E.D. 

Corollary  7.11  If  {  Ao,  A. i,  . . . ,  Al-i  }  is  a  minimal  CSCS  of  a  as 
prescribed  by  Lemma  7.10,  then  for  any  i  >  0,  {  Ao  ©  *7r,  Ai  ©  i'K,  ■■■, 
AL-i  ©  i'n  }  is  a  minimal  CSCS  of  a  ©  iir. 
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Proof:  Since  for  any  [3  and  a,  enb(/3,  a)  if  and  only  if  enb(/3  ©  nr,  a  +  nr), 
last(o  ©  nr)  =  last(o)  +  nr.  The  corollary  then  follows  from  Lemma  7.7  and 
the  observation  that  wit(R,  a  +  in)  =  (wit(R,  a)  ©  in).  Q.E.D. 


7.4.1  Conversion  to  XER-systems 

Let  V  be  a  non-separable  PR  set  with  minimal  period  n.  Further,  let  a 
be  a  non-transitory  state  and  suppose  that  the  transformation  described  in 
Section  7.1  have  been  performed  so  that  all  variables  not  in  the  spanning  set 
of  n  have  been  removed.  Let 


0o 


C^n_i 


(Tn 


(7.13) 


with  cr0  =  crn^  be  a  minimal  cycle.  Then,  as  will  be  shown  later,  the  causality 
and  delay  relationships  of  the  PR  set  can  be  modeled  by  the  repetitive  XER- 
system  X'  =  {E1,  R':  <5,  9)  described  below.  (To  avoid  ambiguity,  events  and 
transitions  in  the  state  graph  will  be  continued  to  be  referred  to  as  such, 
while  events  and  transitions  in  the  XER-system  will  be  explicitly  qualified.) 

•  E'  is  a  set  of  n  XER-system  transitions,  one  associated  with  each  cq 
in  (7.13).  For  reference,  let  'u(cq)  denote  the  XER-system  transition  of 
X'  that  corresponds  to  al.  Note  that  'u(cq)  is  different  from  tran(cq): 
If  {xk,l)  and  (xk,l  +  2)  are  both  in  the  cycle,  then  tran((^,/))  = 
tran((££,  l  +  2)).  However,  u((xk,l ))  and  u((xk,  l  +  2))  are  different 
XER-system  transitions  in  X' .  See  Example  7.3. 

•  R'  is  the  set  of  templates  generated  by  Algorithm  2. 

•  9  is  the  occurrence-index  offset  function  defined  over  the  domain 

V  =  {(u,v,q)  :  q  6  R'  A  u  G  src(g)  A  v  —  tar (q)  :  ( u ,  v ,  q)}. 

The  value  of  each  9{u ,  v,  q)  is  determined  by  Algorithm  2. 

•  6  is  the  delay  function  between  transitions,  under  some  user-selected 
timing  model,  over  the  domain  V. 

As  described  above,  Algorithm  2,  shown  in  Section  A. 2,  is  used  to  convert 
a  PR  set  into  an  XER-system.  Note  that  the  procedure  fire-only( D,  s)  starts 
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at  state  s  and  trace  out  a  path  firing  only  events  in  D.  If  and  £(V)  is  the  set 
of  all  possible  events  in  PR  set  V  and  enb(a,  s),  then  Rrejonly{S{P)  \{a},  s), 
returns  last  (a).  To  see  that  this  is  the  case,  if  the  procedure  does  not  termi¬ 
nate,  then  there  exists  a  cycle  that  does  not  contain  a.  This  existence  implies 
the  graph  is  either  separable  or  s  is  not  a  non-transitory  state ' —  both  are 
situations  that  having  been  excluded  by  our  assumption.  Hence,  fi re_onIy() 
terminates.  Furthermore,  let  a  be  the  state  returned  by  the  procedure.  By 
stability,  enb(a, cr);  so,  by  construction,  a  =  last(a). 

The  transformation  of  a  PR  set  into  an  XER-system  is  illustrated  by  the 
example  below;  arguments  for  its  correctness  will  be  provided  afterward. 

Example  7.3:  Continuing  with  Example  6.6,  since  each  variable  transition, 
except  for  g]  and  g[,  appears  only  once  in  the  cycle  (6.20),  we  can  define 
u((xk,l))  as 


u((xk,l)) 


tran  ((xk,l)) 

ifxk^g 

‘dt:0’ 

if  (xk,l)  =  (g,  1) 

‘dt:0’ 

if  (xkJ)  =  (g,  2) 

‘9V-r 

if  (xh,l)  =  (g,  3) 

II 

a 

•  i- 1 

Hence,  the  PR  set  can  be  described  by  the  repetitive  XER-system  X  = 
(E1,  R ',  <5,  9}  whose  set  of  transitions  is 


E'  =  {afjT,  aFii,  aT{  |,  aTjJ.,  bFtf,  bFii,  bTrf,  bTii, 
cF0 T,  cFol,  cT0 1,  cT0[,  dOt,  ^0|,  dlf,  dl[, 
eOT,  eOj,  elt,  el|,  VpO’,  lg ]:1\ lgi:F}. 

To  determine  R'  and  0,  Algorithm  2  is  applied  with  (6.20)  as  the  minimal 
cycle.  For  the  first  event  (6T,,  1),  its  guard  is  conjunctive;  so,  gen_template() 
is  called  with  wit(guard  of  bTrf,  a0)  and  (ftT),  1)  as  arguments.  Since 
wit(-iel  A  — i eO,  a0)  —  {(e0,  0),  (el,  0)},  the  template  {{eOj,  elt}  bT^} 
is  added  to  R' .  Moreover,  note  that  (5T) t,  1)  occurs  in  the  cycle  (6.20)  but 
both  (eO,  0)  and  (el,0)  occur  one  period  earlier.  So,  to  reflect  these  differ¬ 
ences  in  occurrence-indices,  gen_template( )  defines 

6>(e0|,  &7jT,  (eOj,  elljt^bTrf)  =  1, 

9{e U,  6Tit,{e0J.,  el^Y-^bTfi)  =  1. 
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The  second  event  in  the  cycle  is  (g,  1).  All  the  disjuncts  in  its  guard  are 
stable,  so  stab-disj()  is  called.  Since  the  disjuncts  are  mutually  exclusive,  an 
examination  of  the  guard  in  o\  yields  aTj  A  6T,  as  the  only  true  disjunct 
in  that  state.  Hence,  gen_template( )  is  called  with  {(aTi:  1),  (bTi:  1)}  and 
( g ,  1)  as  arguments.  The  same  call  would  have  been  made  even  if  it  had  not 
been  known  that  the  disjuncts  in  the  guard  of  g  j  are  mutually  exclusive.  So, 
the  template 

{aT,j,  >‘gj':0’ 

and  function  values 

6(aTi T,  ‘g] :0’,  {aTt ],  bTt]}  ^  ‘</t:0’)  =  1, 
9(bTi],‘g]:0\{aTi],bTi]}^‘g]:0’)  =  0 


are  added. 

The  third  event  in  the  cycle  is  ( cT0 j,  1).  All  the  disjuncts  in  its  guard 
are  stable  but  not  mutually  exclusive.  So,  £re-only()  is  called  to  find 
last ((c T0t,  1))  which,  in  this  case,  turns  out  to  be  (72.  In  that  state,  both 
the  disjuncts  g  A  aTi  and  g  A  bTi  are  true.  Hence,  the  templates 

{‘</T:0’,  aT^}  i  (  cT0]  ,  bTt]}  h-  cT0] 

and  function  values 

9(lg]:0\cTo],{‘g]:0\aTi]}^cTo])  =  0, 

9(aTi],cTo],{‘g]:0\aTi]}^cTo])  =  l, 

9(‘gV-0',  cT0 T,  {‘g T:0\  bTt]}  cT0 ])  =  0, 

9(bTi],  cTo],{‘g]:0\bTi]}^cTo])  =  0 


are  added. 

By  continuing  the  analysis  for  the  other  events  in  the  cycle,  R'  and  9  can 
be  determined.  □ 

We  will  now  proceed  to  prove  the  correctness  of  Algorithm  2  in  the  case 
where  the  PR’s  have  only  stable  disjuncts.  The  case  of  unstable  disjuncts  is 
very  complicated  and  will  be  postponed  until  the  next  section. 

First,  we  will  say  that  the  XER-system  event  ( u(a),e )  “represents”  the 
event  (a  ©  e7r).  Analogously,  we  extend  the  definition  to  sets  of  events  and 
to  sets  of  sets  of  events. 
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Lemma  7.12  Suppose  V  has  only  stable  disjuncts.  Let  X'  be  the  repetitive 
XER-system  generated  by  Algorithm  2.  Let  X  be  the  general  XER-system 
induced  by  X' .  Then,  for  all  i  >  9max,  if  the  XER-system  event  ( u,i ) 
represents  the  event  a,  then  the  set  of  all  cause  sets  of  ( u ,  i)  in  X  represents 
a  minimal  CSCS  of  a. 

Proof:  By  Corollary  7.7,  whenever  gen_template{ )  is  called  from  Algorithm  2 
or  from  stab-disj() ,  its  first  argument  is  a  minimal  cause  set  of  its  second 
argument.  Moreover,  for  any  oq,  let  be  the  set  of  all  wit(R,  a)  such 
that  there  is  a  call  of  gen_template(wit(B,  a),  aq)  during  the  execution  of 
the  algorithm.  From  the  topology  of  the  program  and  Lemmas  7.9,  7.8,  and 
7.10,  Wi  is  a  minimal  CSCS  for  oq. 

Next,  suppose  the  call  gen_template({ 70, 71, ... ,  7 j},  a)  is  made.  By  the 
assumption  made  on  the  input  PR  set,  every  variable  occurs  in  the  minimal 
cycle  (7.13).  Consequently,  for  each  event  7 j,  there  exist  an  event  /3j  in  the 
cycle  and  an  integer  e3  such  that  7 j  =  (/ 3j  ©  e3n).  So,  let  7 j  be  represented 
by  the  pair  ( u(/3j ),  e3 )  which  is  an  XER-system  event  if  e.j  >  0. 

The  template  generated  by  gen_template({j  ::  7j},a)  is 

Q  =  {j  ■■  u(Ps)}i->u(a)  (7.14) 

with 

0(u(Pj),u(ai),{]  ::  u{(33)}^u{a))  =  -e.j.  (7.15) 

By  (4.7),  this  template  induces  the  rule 

q\i  =  {j  ■■  +  ej)}^ (m(q), *) 

for  i  >  ^max-  However,  by  Corollary  7.11,  7 j  —  (/ 3j  ©  ejir)  is  in  a  cause 
set  of  a  implies  (7 j  ©  iir)  =  (/3j  ©  (i  +  ej)w)  is  in  a  cause  set  of  (a  ©  in),  for 
any  i  >  0.  So,  for  i  >  9mSix  >  max{— e^},  the  source  set  of  q\i  represents 
the  cause  set  ({j  ::  7 j}  ©  in)  of  (a  ©  in).  By  Corollary  7.11,  this  cause  set 
is  minimal.  Moreover,  since  {j  ::  7j}  can  be  any  minimal  cause  set  of  a, 
the  same  corollary  implies  that  the  set  of  all  cause  sets  of  ( u(a),i )  in  X 
represents  a  minimal  CSCS  of  ( a  ©  in).  Q.E.D. 

The  interpretation  of  this  result  is  that  V  can  be  specified  as  a  pseu- 
dorepetitive  XER-system  whose  repeated  part  is  X',  as  generated  by  Algo¬ 
rithm  2.  Since,  by  Lemma  4.8,  the  period  of  a  pseudorepetitive  system  is  the 
same  as  its  repeated  part,  it  is  therefore  sufficient  to  analyze  X' . 
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~^x3  — ►  Xot 

-*X2  A  -1X3  — >■  Xit 

Xi  -»•  £2T 

2:2  ->•  £ij 

x0  A  Xi  V  £0  A  X2  — >  rc3 1 

Ai3  — >  x2J. 

-'Zi  Ai3  — >  x0| 

~'X0  A  -iz2  — »•  £3  j 


Figure  7.2:  A  state  graph  with  an  unstable  disjunct 

7.5  Unstable  Disjuncts 

If  the  PR  of  an  event  contains  an  unstable  disjunct,  then  the  analysis  needed 
to  determine  its  CSCS  becomes  very  complicated.  Consider  the  following 
simple  example. 

Example  7.4:  In  Figure  7.2,  a  PR  set  and  its  state  graph  are  shown.  Note 
that  x0  A  xi  is  an  unstable  disjunct  for  £3j\  Now,  suppose  that,  in  ap¬ 
plying  Algorithm  1  of  the  previous  chapter,  the  cycle  in  bold  is  found.  If 
only  the  disjuncts  that  are  true  in  last ((£3, 1))  =  1210  are  considered  (as 
per  Corollary  7.7  for  stable  disjuncts),  then  an  erroneous  conclusion  that 
wit(x0  A  X2 , 1210)  =  {(rco,  1),  (£2, 1)}  is  the  only  cause  set  of  {x:i,  1)  will  be 
made.  Instead,  it  is  necessary  to  “backtrack”  from  state  1210  to  state  1100, 
which  is  not  in  the  cycle,  in  order  to  determine  that  {(£0,  1),  {xi,  1)}  is  also 
a  cause  set.  □ 

This  section  addresses  the  issues  concerning  unstable  disjuncts.  Because 
each  unstable  disjunct  can  switch  between  true  and  false,  and  vice  versa, 
almost  arbitrarily,  no  succinct  result  on  how  to  determine  the  minimal  CSCS 
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of  an  event  has  been  found.  Instead,  we  will  describe  a  method  for  finding 
a  CSCS  that,  in  practice,  is  often  minimal.  Unfortunately,  the  procedure,  in 
the  worst-case,  has  exponential  complexity.  Hence,  since  unstable  disjuncts 
arise  rarely  in  practice,  for  those  readers  who  are  willing  to  restrict  their  con¬ 
sideration  to  PR  sets  with  only  stable  disjuncts,  this  section  can  be  skipped 
with  little  loss  of  continuity. 


7.5.1  Backtracking 

As  illustrated  in  the  previous  example,  if  the  guard  of  an  event  has  an  un¬ 
stable  disjunct,  then  to  find  its  CSCS,  it  is  sometimes  necessary  to  “trace 
backward”  from  a  given  state  a  to  another  state  r  such  that  there  exists 

j3  with  r  —A  a.  Now,  the  guard  of  tran(/3)  is  true  in  r,  so  it  is  true  in 
a  since  no  self- invalidating  PR’s  are  allowed.  Also,  if  (3  —  (xk,l),  then  by 
definition  of  state  change,  a[k]  =  l.  However,  these  two  criteria  are  not  suffi¬ 
cient  to  allow  one  to  “backtrack”  from  a  given  state  as  the  following  example 
illustrates. 


Example  7.5:  Continuing  with  the  previous  example,  let  a  —  2211.  Sup¬ 
pose  we  want  to  find  all  events  ( Xk ,  l )  and  states  r  such  that  r  N — A7  a.  In 
state  <7,  the  guard  for  tran((:ro,  2))  is  true  and  cr[0]  =  2.  As  it  turns  out, 

1211  (j.  However,  the  guard  for  tran((:ri,  2))  is  also  true  in  a  and 

cr[l]  =  2.  But,  there  is  not  a  state  r  such  that  r  a.  □ 

To  fully  describe  the  procedure  for  backtracking,  we  have  the  following 
definition. 

Definition:  The  set  of  incoming  events  of  cr,  denoted  incoming  (a),  is 


{a  :  (3r  ::  r  a)  :  a}. 

On  page  166,  the  procedure  find -incoming (s ) ,  which  is  used  for  deter¬ 
mining  incoming(s),  is  outlined.  By  the  arguments  given  in  the  beginning 
of  this  sub-section,  I,  when  initialized,  is  a  superset  of  incoming(s).  Note 
that  if  b  6  I,  then  b  occurs  in  the  path  from  to  s  and  therefore  D  exists. 
The  rest  of  the  procedure  determines  which  of  the  original  members  of  I  can 
be  removed  to  yield  incoming(s).  The  test  makes  use  of  Lemma  5.14:  If 


141 


(f)  -k~+  s  and  b  G  D,  then 

Vr  ::  (r — >  s  <t4>  (p  T)- 

Thus,  any  b  whose  corresponding  t  does  not  change  to  s  via  b  is  not  an  in¬ 
coming  event  of  s.  Hence,  after  the  removal  of  all  such  b’s,  I  is  incoming(s). 
If  a  list  of  events  leading  to  s  is  maintained  as,  for  instance, 

OL  0  OL\  Oi2  Oin-2  Oin-i 

c’mit  *  ^1  *  ^2  *  ■  ■  ■  *  ® n— 1  *  s, 

then  determining  D  in  findJncoming(s)  amounts  to  finding  cuj  such  that 
OLj  =  b  and  letting  D  be  {i  :  j  <  i  <  n  :  a*},  which,  typically,  is  a  small  set. 
Also,  in  cases  where  it  is  necessary  to  backtrack  several  steps  from  a  state, 
E  does  not  need  to  be  evaluate  anew  each  step;  instead,  it  can  be  updated 
incrementally  by  determining  which  guards  change  values  after  each  step. 


7.5.2  Cause  Sets 


As  an  illustration  of  how  the  presence  of  unstable  disjuncts  in  a  guard  can 
create  situations  that  may  seem  counter-intuitive  at  first,  consider  the  fol¬ 
lowing  example. 


Example  7.6:  Consider  the  following  PR  set: 


-i  2%  A  -1X4  V  x0  A  x5  A  -1X4 

~'X5 

x0 

-1X4  A  x3  V  -1X4  A  X2  A  -1X5  V14  A  -1X3 

x0  A  Xi  A  -1X3  V  X2  A  x3  A  Xi  V  x2  A  £4 

Xi  A  x3 

£4  A  -1X1  A  x0 

X2  A  x5  A  rci  A  £4  A  -1X3 

£5  A  -i£0 

-1X3  A  -1X4  A  -ix0  V  x3  A  x4 
x5  A  -ix0  A  -1X1 
x5  A  -ix0  A  -ix2 


ZsT 
ZoT 
£2! 
XiT 
ZsT 
x4T 
a&J. 
Sd  i 
x4| 
Xll 

%2  i 
Xsl- 


Its  state  graph  is  depicted  in  Figure  7.3  where  states  at  which  (x5,l)  is 
enabled  are  shown  in  bold. 
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(600100)  (loooog) 


(2:1,1) 


(®2,1) 


(looioo)  (foitxJo) 

(tJionjq) 


(2:4,1) 


(Inono) 


(101100) 
(iToioo) 


(^1,2) 


(nonfi) 
(pmo) 

(f2011(j) 

(2:3,2) 


IT1001) 


(2:1,3) 


C21211I 

C3021(| 


($42221) 


($31221) 

^(2:1,4) 

(^41221) 

yw) 


mm) 

($31211) 

y7  (2:4, 2) 


(2:3,3)  (2:0,3) 


Figure  7.3:  PR  set  with  unstable  disjuncts 
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Let  ct  be  (£5, 1).  Accordingly,  let  B0  be  x0  A  x±  A  -ix3,  Bi  be  x^  A  x3  A  xi, 
and  B 2  be  x2  A  x4 .  The  following  are  some  interesting  observations  concerning 
the  cause  sets  of  a. 

•  B0  is  an  unstable  disjunct  for  tran(a)  because  it  is  true  in  111000 
and  becomes  false  in  111100  before  a  has  occurred.  Moreover, 
wit(f?0, 111000)  =  {(^o,  1),  {xi,  1),  (x3l  0)}.  So,  at  state  120210, 
wit(f?0, 111000)  has  occurred.  But,  in  that  state  a  is  not  enabled  and 
it  has  not  yet  occurred.  Hence,  wit(H0, 111000)  is  not  a  cause  set  for 
a  despite  of  the  fact  that  B0  is  true  in  111000  and  enb(o;,  111000). 

•  Bi  is  an  unstable  disjunct  for  tran(ct)  since  it  is  true  in  111110  and 
becomes  false  in  121110  before  a  has  occurred.  However,  unlike  the 
situation  for  B0,  wit  (Si,  111110)  =  {(xi,  1),  (x2, 1),  (x3, 1)}  is  a  cause 
set  for  a  since  a  either  is  enabled  or  has  occurred  in  every  state  where 
wit  (Si,  111110)  has  occurred. 

•  f?2  is  true  in  111110.  Note  that  it  is  true  in  last  (a)  also.  In  fact,  it  is 
a  stable  disjunct  and,  by  Corollary  7.7,  wit(_B2, 111110)  is  a  cause  set 
of  a. 

•  B0  is  true  in  130210  also.  Because  it  is  true  in  last  (a;),  by 
Lemma  7.5,  wit(S0, 130210)  is  a  cause  set  of  a.  Note,  however,  that 
wit(H0, 130210)  =  {(rro,  1),  (an,  3),  (£3,  2)}  ^  wit(S0, 111000).  Thus, 
a  single  unstable  disjunct  B0  can  be  true  in  two  different  states  and 
give  rise  to  two  different  sets  of  witnesses.  This  situation  cannot  occur 
if  the  disjunct  is  stable  by  virtue  of  Lemma  7.7. 


□ 

A  counterpart  of  Corollary  7.7  for  unstable  disjunct  is  given  below. 
Lemma  7.13  If  the  guard  for  tran(a)  is  B0  V  B\  V . . .  V  Bm,  enb(ct,  a),  and 

m 

W0(a,a)  =  U  wit  (Bi,  <7),  (7-16) 

i= 0 

then  W0(a,a)  is  a  cause  set  of  a. 
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Proof:  Let  r  be  any  state  such  that  a  has  not  occurred  and  -ienb(o,r). 
B  C 

Let  ani  and  cqq  Then,  by  Lemma  5.7  there  exists  (p  such  that 


C\B 

(a 


<t>)  A 


<t>). 


Since  a  has  not  occurred  in  a  or  r,  it  has  not  occurred  in  (p.  So,  by  sta¬ 
bility,  enb(o,  a)  implies  enb(ct,  <p )  and  there  exists  a  disjunct  Bi  such  that 
Bi  is  true  in  <p. 

Since  -ienb(o;,r),  Bi  is  false  in  r  and  Bi  contains  a  literal  that  is  false 
in  r  but  true  in  <p.  Let  the  variable  of  that  literal  be  aq  and  let  l  be  <p[k\. 
Consider  (3  =  ( Xk ,  0-  Since  lit  (/3)  has  different  values  in  r  and  (p,  (3  has  not 
occurred  in  r  and  (3  E  (B\  C).  So,  j3  E  B  and,  consequently,  a[k]  >  l.  But 
a[k\  <  (p[h\  =  l ;  so,  a[k]  =  l.  By  the  choice  of  Xk,  lit (/?)  is  true  in  <p  and 
so  it  is  also  true  in  a  since  (p[k\  —  a[k\.  Hence,  (3  is  in  wit (Bi:a)  which 
is  contained  in  W0(a,a).  Consequently,  if  Wo(«,  it)  has  occurred  in  r,  then 
either  enb(o,r)  or  a  has  occurred  in  r.  Q.E.D. 

Note  that  no  claim  is  made  as  to  whether  the  cause  set  defined  by  (7.16) 
is  minimal.  In  fact,  if  B  is  a  stable  disjunct,  this  cause  set  is  typically  larger 
than  wit(-B,(r),  which  is  minimal.  Minimality  is  not  guaranteed  even  for 
unstable  disjuncts.  In  fact,  when  Lemma  7.13  is  applied  to  Bi  and  111100 
in  Example  7.6,  a  cause  set  of  {(:ro,  1),  (aq,  1),  (aq,  1),  ( x3 , 1)}  is  prescribed. 
However,  {(aq,  1),  (x2, 1),  (x3, 1)}  is  sufficient.  Currently,  no  efficient  way 
to  determine  the  minimal  cause  set  due  to  an  unstable  disjunct  has  been 
discovered. 


Lemma  7.14  Let  the  guard  for  tran(a)  be  B0  V  B1  V  . . .  V  Bm.  Suppose 
enb(a,cr)  and  Bj  is  true  in  a.  Let  WQ{a,a)  be  as  defined  in  (7.16).  Let 
Wi(a,  Bj,  a)  be 

{7  :  7  E  wit(Hi,a)V  /7>17n 

7  E  W0(a,a)  A  wit(Hj,<j)  has  occurred  in  last(7)  :  7}.  1  ' 

Then, 


cause(a,  Bj,  a) 


is  a  cause  set  of  a. 


wit  (Bj,  a)  if  wit(I?j,  a)  —  wit  (Bj,  last(<a)) 
Wi(a,  Bj,  a)  if  wit(Hj,  a)  ^  wit(Hj,  last(o;)) 

(7.18) 
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Proof:  By  Lemma  7.5,  it  is  sufficient  to  consider  the  case  when  w it(Bj,  a)  ^ 
wit (Bj,  last («)).  By  construction,  wit(Bj,a)  C  caus e(a,Bj,a)  and  so 
(7.10)  is  satisfied.  Next,  let  r  be  any  state  such  that  cause(ct,  Bj ,  a )  has  oc¬ 
curred,  a  has  not  occurred,  and  -ienb(o,r).  By  the  arguments  in  the  proof 
of  Lemma  7.13,  there  exists  (3  in  W0(a,  a)  such  that  (3  has  not  occurred  in  r. 
So,  by  Lemma  7.3,  r  ~*r- >last(/3).  But  wit {Bj,a)  C  cause(o,  Bj,  a).  Thus, 
wit(Hj,  a)  has  occurred  in  r  and,  consequently,  it  has  occurred  in  last (/?). 
So,  by  (7.17),  [3  cause(o,  Bj ,  a)  which  is  a  direct  contradiction  to  the  prior 
conclusion  that  (3  has  not  occurred  in  r.  Thus,  an  absurdity  can  be  avoided 
only  if  no  such  r  exists.  Q.E.D. 

Example  7.7:  Consider  again  the  cause  sets  of  a  —  (x5, 1)  in  Example  7.6. 

•  Since  enb(a,  111000)  and  B0  is  true  in  111000,  cause(a,  B0, 111000) 

is  a  cause  set.  Next,  note  that  W0{a,  111000)  \  wit (H0,  1 11000)  = 
{(^2,1)}-  Since  wit(50, 111000)  =  {(a;o,  1),  1),  (^3,  0)}  has  oc¬ 

curred  in  last((:r2, 1))  which  has  a  value  of  130210,  (^2, 1)  is  included  in 
cause(a,  B0l  111000).  Hence,  {{£0, 1),  (aq,  1),  (x2l  1),  (x3l  0)}  is  a  cause 
set  of  a. 

•  Since  enb(o;,  111100)  and  Bi  is  true  in  111100,  cause(a,  Bi,  111100) 
is  a  cause  set.  Next,  W0{a,  111100)  \  wit  (Hi,  111100)  =  {{x0, 1)}. 
Since  wit(H1;  111100)  =  {(xi,  1),  {x2, 1),  {x3, 1)}  has  not  occurred  in 
last((a:o,  1))  =  020110,  (2:2,1)  is  excluded  from  cause(a,  Bll  111100). 
Hence,  {(aq,  1),  (x2, 1),  (x3, 1)}  is  a  cause  set  of  a. 


□ 

Though  no  claim  to  the  minimality  of  (7.18)  is  made,  in  practice,  as 
illustrated  by  the  above  example,  the  cause  sets  defined  by  (7.18)  are  often 
minimal. 

In  the  previous  example,  we  can  continue  to  compute  cause(cq  Bj,a)  for 
every  disjunct  Bj  and  every  state  a  such  that  enb(o:,  a)  and  B,  is  true  in  a. 
Then, 

{Bj,  a  :  enb(o:,  a)  A  Bj  is  true  in  a  :  cause(a,  Bj,  cr)} 

is  a  CSCS  for  a  because  setting  Ai  to  caus e(a,Bj,a)  satisfies  (7.11). 
Lemma  7.15,  however,  can  be  used  to  reduce  the  number  of  times  a  cause 
set  is  to  be  computed.  The  result  makes  use  of  the  following  definition. 
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Definition:  A  disjunct  H  is  critically  true  in  r,  denoted  ctru e(H,r),  if 
B  is  true  in  r  and  M<p  :  <p  — >  t  :  B  is  false  in  <p. 

Note  that  for  any  state  such  that  B  is  true  in  a,  there  exists  a  state  r 
such  that  and  ctrue(H,r)  because  the  state  graph  is  acyclic  due  to 

the  partial  order  imposed  on  the  states  by  the  weight  function. 

Lemma  7.15  Let  H0  V  B1  V  . . .  V  Bm  be  the  guard  of  a.  Then, 

{ Bj ,  r  :  enb(cp  r)  A  ctrue(Hj,  r)  :  cause(a,  Bj ,  r)}  (7.19) 

is  a  CSCS  of  a. 

Proof:  By  Lemma  7.14,  each  member  of  (7.19)  is  a  cause  set  of  a.  Let 
Bj  and  a  be  such  that  enb(a,  a)  and  Bj  is  true  in  a.  Then,  by  previ¬ 
ous  arguments,  there  exists  r  such  that  ctru e(Hj,  t)  and  r-k-ur.  Since 
Bj  is  true  in  r,  enb(a,r).  Let  n  be  the  length  of  the  path  r^*r-xj  and 
let  Ai  —  cause(o,  Bj,  r).  We  will  show,  by  induction  on  n,  that  (7.11)  is 
satisfied. 

Base  Case:  ( n  —  0)  Here,  ctru e(Bj,a)  and  At  —  caus e(a,  Bj,  a). 
Hence,  At  has  occurred  in  a  and  wit (Bj,a)  C  A%. 

Inductive  Step:  Assume  (7.11)  is  satisfied  if  the  length  of  r  a  is  n. 

Consider  <fi  such  that  a  —A  <fi.  Bj  is  true  in  (f>,  and  enb(a,  <fi ).  Now,  At  has 
occurred  in  cr,  so  it  has  occurred  in  (p.  Moreover,  wit [Bj,a)  —  wit(Hj,  <p) 
since  Bj  is  true  in  both  states  and  they  differ  in  only  one  event.  So,  by 
the  inductive  hypothesis,  wit(fb,-,  (p)  —  wit(f?j,cr)  C  At-  Hence,  (7.11)  is 
satisfied  with  (p  in  place  of  a.  Q.E.D. 

Example  7.8:  Suppose  we  want  to  determine  the  CSCS  of  a  —  (£5,1)  in 
Example  7.6.  The  set  of  all  ( Bj,r )  such  that  enb(a,  r)  A  ctru e(Bj,r)  is 

{(H0, 111000),  (Hi,  111100),  (H2, 111110),  (H0, 130210)}.  (7.20) 

So,  by  previous  analysis,  a  CSCS  of  a  is 

{{(H),  1),  (h,  1),  (h,  1),  (x3,  0)},  {(zi,  1),  (x2, 1),  (x3, 1)}, 

{(x2, 1),  (x4l  1)},  {(x0, 1),  (x1:  3),  ( x3 ,  2)}}. 

□ 
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Though  Lemma  7.15  makes  no  claim  as  to  the  minimality  of  (7.19),  in 
practice,  as  illustrated  in  this  example,  a  minimal  CSCS  often  results.  Note 
also  that,  in  this  example,  there  are  two  states  where  B0  is  critically  true, 
though  wit(_B0, 111000)  ^  wit(S0, 130210).  It  is  also  possible  that  a  sin¬ 
gle  disjunct  Bj  is  critically  true  in  two  different  states  ua  and  a b  with 
wit(Bj,<ja)  =  wit(Bj,ab).  In  that  case,  if  cause(a,  Bj,  ua)  is  a  subset  of 
cause(o;,  Sj,  <r&),  then  the  latter  can  be  removed  from  the  CSCS  since  (7.11) 
with  Ai  =  cause(o;,  Bj,Ub)  implies  (7.11)  with  Ai  =  cause(a,  Bj:aa).  How¬ 
ever,  as  the  following  example  shows,  for  arbitrary  cause  sets  Aa  and  At,- 
even  if  Aa  C  Ab,  both  Aa  and  Ab  may  be  needed  in  the  CSCS. 

Example  7.9:  Consider  the  following  PR  set  whose  state  graph  is  shown  in 
Figure  7.4: 


-iz3  A  —1X4  — >•  xA 

-^3  ->  x2T 

~^x3  ->•  xA 

x5  — >•  x4t 

x4  — >•  x5j 

-1X3  A  X4  A  -1X5  V  Xi  A  x2  A  X4  —>■  x0T 

x0  A  X4  A  x5  V  Xi  A  x2  A  X4  — >  xd 

x3  A  -ix5  Aa<)  — ►  x2l 

x3  A  -1X5  A  Xq  — ■>  Xij 

£3  A  -ix2  A  -1Z1  A  -ix5  — >■  x4  j 

x3  A  -1X5  A  -1X4  — >  Zoj 

-ix4  A  -1X2  A  —1X1  A  — 1X0  — ►  x3 [. 


The  states  in  bold  are  those  in  which  a  =  (x3, 1)  is  enabled.  Let  B0  be  x0  A 
X4  Ax5  and  Bi  be  xi  Ax2  AX4.  Since  ctrue(Si,  011011)  and  wit(Si,  011011)  = 
wit(Ri,  last(cc)), 

Aa  =  wit  (Si,  011011)  =  {(xi,  1),  (x2, 1),  (x4, 1)} 

is  a  cause  set  of  a.  Also,  since  ctrue(S0, 111011),  by  Lemma  7.14, 

Ab  =  {(x0, 1),  (xi,  1),  (x2, 1),  (x4, 1),  (x5, 1)} 

is  another  cause  set  of  a.  Note  that  though  Aa  C  Ab,  Ab  is  needed  since  it 
is  the  only  cause  set  that  satisfies  (7.11)  for  Bj  —  B0  and  a  —  111011.  □ 
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(^2,1) 


(111112) 

fo,  2>/\^  2) 

(121112)  (112112) 


(122112) 

<*4,2) 

(122122) 

(«q,2) 

(222122) 

<*3,2) 

(222222) — 

T\ 

Figure  7.4:  Cumulative  state  graph  for  Example  7.9 
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7.5.3  Finding  Critically  True  States 

By  Lemma  7.15,  to  find  a  CSCS  for  a  transition  a,  it  is  sufficient  to  find  every 
disjunct  Bj  in  the  guard  of  tran(cr)  and  every  state  r  such  that  ctrue(Bj,  r). 
The  difficulty  of  this  search  can  be  illustrated  by  once  again  using  the  PR 
set  in  Example  7.9. 

Example  7.10:  The  following  cycle  is  found  when  Algorithm  1  is  applied 
to  Example  7.9: 

000000  000001  000011 
000012  001012  011012 
011112  ^ 2 ^  222222. 

At  the  state  011012  where  a  =  (x3, 1)  is  enabled,  only  B1  is  true.  Suppose, 
by  backtracking  from  that  state,  we  have  determined  that  B1  is  critically  true 
in  state  =  011011.  At  this  point,  there  is  no  indication  that  there  exists  a 
state  a  such  that  B0  is  true.  Even  if  we  had  started  at  last(a)  =  111012,  to 
reach  T\  —  011011,  it  is  possible  that  the  following  path  is  backtracked  over: 

011011  011012  111012. 

Again,  no  state  where  B0  is  true  is  visited.  □ 

It  is  our  conjecture  that  in  order  not  to  miss  any  { Bj,a )  such  that 
etrue(RJ,  a)  holds,  it  is  necessary,  in  general,  to  check  every  state  where 
a  is  enabled.  The  obvious  penalty  for  this  approach  is  that,  in  the  worst- 
case,  the  number  of  states  needed  to  be  checked  is  exponential  in  the  number 
of  variables  in  the  PR  set.  However,  typically,  the  actual  number  of  states 
where  a  particular  event  is  enabled  is  significantly  smaller.  Moreover,  this 
exhaustive  check  needs  to  be  applied  only  for  events  corresponding  to  tran¬ 
sitions  whose  PR’s  have  unstable  disjuncts. 

7.5.4  Conversion  to  XER-systems 

The  procedure  for  determining  a  CSCS  for  an  event  a  when  the  PR  of  tran(a) 
may  contain  unstable  disjunct  is  unstab-disj( )  on  page  164.  The  procedure  is 
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invoked  from  Algorithm  2  which  assumes  the  minimal  cycle  (7.13)  has  been 
given.  As  discussed  above,  backtracking  is  used  to  find  all  states  where  an 
event  a  is  enabled.  Suppose,  for  instance,  enb(a0  ©  7 r,  an- 1).  Then,  the  state 
(crn-i  —  7r),  which  has  weight  less  than  <r0,  may  not  exist  if  a0  —  cqnq .  Hence, 
the  set  of  states  where  a0  is  enabled  is  smaller  than  the  set  of  states  where 
(a0  ©  7r)  is  enabled.  So,  to  determine  the  periodic  behavior  of  a  system,  it 
may  be  necessary  to  compute  the  CSCS  of  (a  ©  in)  for  some  i  >  0,  instead  of 
a.  The  following  two  results  guarantees  that  such  an  i  exists.  Note  that,  as 
explained  in  the  sub-section  on  implementation,  the  constant  I  introduced 
in  the  lemmas  is  only  a  proof  device  and  its  value  needs  not  be  determined. 

Lemma  7.16  Let  (7.13)  be  a  minimal  cycle  with  a0  a  non-transitory  state. 
Then,  there  exists  a  constant  I  such  that  for  any  i,  j,  and  a  satisfying  i  >  0 
and  enb(<x,  ©  (i  +  I)n ,  a),  the  following  predicate  holds: 

\/k  :  0  <  k  <  K  :  a[k]  >  a0[k ]  +  n[k].  (7-21) 

Furthermore,  for  any  state  a  and  i  >  0  such  that  enb(<x,  ©  (i  +  I) n,  a),  the 
state  ( a  —  in)  exists. 

Proof:  The  number  of  states  a  for  which  (7.21)  does  not  hold  is  at 
most  IIfc7o1(cro[fc]  +  7r[fc]),  which  is  finite.  Since  enb(oj  ©  ia7r,  a)  and 
enb(oq  ©47r,cr)  implies  ia  =■  %,  by  the  Pigeonhole  Principle,  there  are  fi¬ 
nite  number  of  i’s  for  which  there  exists  a  satisfying  enb(<x,  ©  in,  a)  but  not 
(7.21).  So,  there  exists  Ij  such  that  i  >  0  and  enb(oj  ©  (i  +  Ij)n,a)  imply 
(7.21).  Setting  I  to  be  the  maximum  of  the  Ij  s  establishes  the  first  part  of 
the  lemma. 

Next,  suppose,  toward  a  contradiction,  that  the  second  part  of  the 
lemma  does  not  hold.  Let  i  be  the  smallest  integer  such  that  there  ex¬ 
ist  j  and  a  satisfying  i  >  0,  enb(oj  ©  (i  +  I)n,a),  and  the  state  (a  —  in) 
does  not  exist.  Obviously,  i  /  0.  By  Lemma  5.9,  (7.21)  implies  (cr0  + 
n)  So,  by  Lemma  5.16,  a0  -*->  (a  —  n).  But  enb(aj  ©  (i  +  I)n,  a) 

implies  enb(o;j  ©  (?  —  1  +  I)n,a  —  n)  and  ( a  —  in)  does  not  exist  implies 
((cr  —  n)  —  {i  —  1 ) 7r)  does  not  exist.  So,  i—  1  satisfies  the  conditions  required 
of  i  and  is  also  smaller.  This  contradiction  proves  the  lemma.  Q.E.D. 

Lemma  7.17  If  {  Ao,  Ai,  ■  ■  ■ ,  Al-i  }  is  a  CSCS  of  {a  ©  In)  as  prescribed 
by  Lemma  7.15,  then  {  Ao  ©  in,  A\  ©  in,  . . . ,  Al- i  ©  in  }  is  a  CSCS  of 
(a  ©  (i  +  I) n). 
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Proof:  Let  B  be  any  disjunct  in  the  guard  of  tran(a).  By  arguments  similar 
to  those  in  the  proof  of  Corollary  7.11,  last(o;  ©  (i  +  I) 7r)  =  (last(o;  ©  / 7r)  + 
in)  and  wit {B,  a  +  in)  —  a)  ©  in).  So, 

cause(a  ©  (i  +  I) n,  B,a  +  in)  =  (cause(o  ©  In,  B ,  a)  ©  in). 

Therefore,  from  Lemma  7.14,  it  remains  to  show  that  for  any  r  and  f, 


enb(o  ©  In,  r)  A  ctrue(B,  r) 

enb(a  ©  {i  +  I)n,  r  +  i7r)  A  ctrue(B,  r  +  in) 


(7.22) 


and 

enb(o  ©  (i  +  I)n,  t)  A  ctrue(H,  r)  , 

enb(o  ©  In,  t  —  in)  A  ctrue(H,  f  —  in).  1  ' 

If  the  antecedent  of  (7.22)  holds,  then,  enb(o  ©  {i  +  I)n,  r  +  i7r)  and 
B  is  true  in  (r  +  i7r)  due  to  Lemma  5.15.  Moreover,  if  there  exists  (ft 
such  that  <fi — t  (r  +  in)  and  B  is  true  in  (p,  then,  by  Lemma  7.16  and 
Lemma  5.16,  state  (cp  —  in)  exists,  {<p  —  in)  — »  r,  and  B  is  true  in  <p  —  in. 
This  situation  contradicts  ctru e(B,r).  Thus,  B  is  critically  true  in  (r  +  in) 
and  (7.22)  is  established. 

Conversely,  let  f  be  any  state  such  that  enb(o  ©  (i  + 1) n,  t)  and 
ctrue(S,f).  Then,  by  Lemma  7.16,  (f  —  in)  is  a  state  and,  by  Lemma  5.15, 
enb(o  ©  In ,  f  —  in)  and  B  is  true  in  (f  —  in).  Moreover,  if  B  is  not  criti¬ 
cally  true  in  (f  —  i7r)  then  B  is  not  critically  true  in  f  due  to  Lemma  5.16. 
Hence,  ctrue(H,r  —  in)  and  (7.23)  is  verified.  Q.E.D. 

We  are  now  ready  to  prove  the  correctness  of  Algorithm  2  in  the  gen¬ 
eral  case  where  there  are  unstable  disjuncts.  The  algorithm  makes  use  of 
unstab-disjsubQ  to  recursively  visit  all  states  a  where  a  particular  event 
aO  is  enabled.  As  described  in  Sub-section  7.5.1,  findJncoming(s)  returns 
incoming(s).  Also,  for  any  b  in  incoming(s),  prevst ate(s,b)  returns  the 
b 

state  r  such  that  r  — >  s. 


Lemma  7.18  Let  X'  be  the  repetitive  XER-system  generated  by  Algorithm  2. 
Let  X  be  the  general  XER-system  induced  by  X' .  Then,  there  exists  a  con¬ 
stant  Imax  such  that  for  all  i  >  Imax,  the  XER-system  event  ( u ,  i)  rep¬ 
resents  the  event  a,  then  the  set  of  all  cause  sets  of  ( u ,  i )  in  X  represents  a 
CSCSofa. 
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Proof:  Let  atj  be  an  event  in  (7.13).  If  the  guard  of  tran(oq)  is  known  to 
have  only  stable  disjuncts,  then,  by  Lemma  7.12,  the  result  holds  for  any 
XER-system  event  ( u(cuj),i )  provided  /max  >  $max- 

So,  it  suffices  to  analyze  the  case  when  unstab-disj(a^,  s)  is  invoked. 
The  purpose  of  that  procedure  is  to  determine  a  CSCS  for  a  —  (aq  ©  Ik) 
according  to  Lemma  7.15  and  Lemma  7.14.  First,  last  (a)  is  computed  and 
assigned  to  sO  by  using  the  identity  last(oq  ©  I'K )  =  (last(aq)  +Ik ).  Then, 
after  setting  aO,  UO,  and  V,  unstab-disjsubiy ,  aO,  sO)  is  called. 

Next,  consider  an  instantiation  of  unstab-disjsub( U,  aO,  s).  From  the 
topology  of  the  procedures,  the  event  aO  is  enabled  in  state  s.  Also,  from 
the  definition  of  findJncoming(),  t  assumes  every  value  r  such  that  r  — *  s. 
So,  there  is  a  call  of  unstab-disjsub(V,  aO,  t)  whenever  there  is  a  call  of 
unstab-disjsub(U ,  aO,  s)  provided  t  — >  s  and  enb(aO,  t).  Applying  this  ob¬ 
servation  recursively  implies  that  there  is  a  call  of  unstab-disjsub(U,  aO,  a) 
whenever  enb(aO,  a)  and  a  ^*r->sO. 

Next,  let  the  guard  of  tran(o;)  be  B0  V  Bi  V  . . .  V  BM  and  consider  the 
operations  executed  by  unstab-disjsub(\J, aO,s).  Before  the  first  loop  in  the 
procedure,  U  =  {Bj  :  Bj  is  true  in  s  :  wit(/7,,  s)}.  Now,  wit(Rj,  s)  is  re¬ 
moved  from  U  if  and  only  if  there  exists  an  assignment  to  t  and  a  disjunct 
Bj  such  that 


enb(aO,  t)  A  t  — >  s  A  wit  (Bj,  s)  =  wit(/7,,  t).  (7.24) 

Since  the  guard  is  in  DNF,  the  last  conjunct  above  implies  j  —  j.  Hence, 
at  the  end  of  the  first  loop  in  unstab-disjsub(),  U  =  {Bj  :  ctrue(Bj,  s)  : 
wit  (Bj,  s)}. 

The  second  loop  in  unstab-disjsubQ  computes  cause(aO,  Bj,  s)  accord¬ 
ing  to  Lemma  7.14.  For  each  Bj  such  that  ctrue(/7,,  s),  gen_template(Z ,  aO) 
is  called  with  Z  set  equal  to  cause(aO,  Bj,  s).  Let  W  be  the  set  of  C’s  such 
that  there  is  a  call  of  gen_template(Z ,  aO)  with  Z  —  C  during  the  execution 
of  the  algorithm.  Since  all  states  a  such  that  enb(aO,  a)  and  all  disjuncts 
Bj  such  that  ctru e(Bj,a)  are  included,  by  Lemma  7.15,  W  is  a  CSCS  of 
aO.  Consequently,  using  arguments  similar  to  those  used  in  the  proof  of 
Lemma  7.12  and  the  periodic  behavior  implied  by  Lemma  7.17,  it  can  then 
be  shown  that  for  all  i  +  I  >  #max,  the  set  of  all  cause  sets  of  ( u ,  i  + 1) 
represents  a  CSCS  of  ( ctj  ©  (i  +  T)k )  whenever  u  —  u(a,j).  Q.E.D. 
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7.5.5  Implementation  Issues 

In  Algorithm  2,  there  are  several  implementation  issues  that  need  to  be 
addressed.  The  most  important  one  is  that  the  identity  of  I  does  not  need 
to  be  determined  beforehand.  Instead,  assume  an  implicit  offset  of  Itt  has 
been  added  to  all  states  and  events.  Thus,  the  cycle  (7.13),  when  used  by 
the  algorithm,  actually  represents 

(<7„  +  ft)  {.t,  +  ft)  H  (<T„  +  ft).  (7.25) 

Also,  the  addition  and  extension  by  Itt  in  unstab-disj{ )  and  the  check  for 
(s [k]  ^  o'init  W)  findJncoming( )  are  removed.  With  these  modifications,  a 
state  may  now  have  negative  components  in  the  program.  However,  through 
the  use  of  the  implicit  offset,  the  value  of  /  can  be  assumed  to  be  large 
enough  so  that  all  of  the  states  are  reachable  from  crjnp .  Similar  arguments 
apply  to  events  with  negative  occurrence  numbers  in  the  algorithm.  Since 
the  same  XER-system  is  generated  as  before,  the  explicit  references  to  I  can 
be  removed  from  Algorithm  2  without  affecting  its  correctness. 

Next,  observe  that  in  unstab-disjsubQ ,  we  are  only  interested  in  Ending 
/3’s  satisfying 


(3t  ::  r  s)  A  (r  >  s  =>•  enb(aO,  r)).  (7.26) 

The  first  condition  is  guaranteed  by  fhidJncoming( )  returning  incoming(s) 
and  the  second  condition  is  checked  explicitly  in  unstab-disjsubQ .  Note, 
however,  that  the  second  condition  can  be  checked  statically.  Hence,  it  should 
be  checked  first  so  as  to  reduce  the  number  of  candidates  for  which  the 
first  condition  needs  to  be  verified.  This  optimization  can  be  realized  by 
modifying  findJncoming()  so  that  it  accepts  an  additional  parameter  aO  and 
removes  from  I  every  event  (3  that  does  not  satisfy  the  the  second  condition 
in  (7.26).  The  removal  should  be  done  at  the  beginning  of  the  foreach-loop 
for  maximum  efficiency. 


7.6  Complexity 

We  have  presented  Algorithm  2  for  converting  a  non-separable  PR  set  with  a 
given  minimal  cycle  into  a  repetitive  XER-system  X' .  For  each  event  a ,  if  its 
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guard  is  conjunctive  or  mutex,  then  its  CSCS  can  be  computed  immediately. 
Else,  if  the  PR  for  tran(ct)  contains  only  stable  disjuncts,  then  one  needs 
to  trace  a  path  to  find  last  (a).  Since  a  is  enabled  in  every  state  along  that 
path,  there  appears  to  be  a  limit  on  how  many  states  there  are  in  that  path. 
In  fact,  from  experience,  we  believe  that  the  actual  length  of  the  path  cannot 
be  greater  than  the  number  of  events  in  the  cycle  though  currently  no  proof 
exists.  Assuming  the  bound  is  correct,  then,  if  the  PR  set  does  not  contain 
unstable  disjuncts,  the  number  of  states  visited  by  Algorithm  2  is  at  most 
quadratic  in  the  number  of  events  in  the  cycle. 

The  situation  can  worsen  considerably  if  there  are  PR’s  with  unstable 
disjuncts.  For  an  event,  a,  whose  transition  involves  such  a  PR,  every  state 
where  a  is  enabled  needs  to  be  visited.  In  the  worst  case,  this  number  can 
be  exponential  in  the  number  of  variables  though,  typically,  it  is  much  less. 
Also,  in  practice,  PR’s  with  unstable  disjuncts  are  rare.  Thus,  Algorithm  2 
provides  a  simple  way  to  convert  PR  sets  into  repetitive  XER-systems. 
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Chapter  8 
Conclusion 


8.1  Summary 

In  this  thesis,  we  have  addressed  the  problems  involved  in  the  timing  analy¬ 
sis  of  asynchronous  VLSI  circuits.  We  have  presented  examples  of  practical 
circuits  (quick-decision  zero-checkers)  that  are  inherently  disjunctive  and  use 
them  as  our  motivation  for  generalizing  Burns’  ER-systems.  We  have  verified 
that  an  extended  ER-system  (XER-system)  retains  many  properties  of  the 
original  and  shown  how  its  period  can  be  computed.  The  main  result  on 
XER-systems  is  Theorem  4.2  which  states  that  this  period  is  a  good  indica¬ 
tion  of  the  steady-state  performance  of  a  repetitive  XER-system. 

We  have  also  considered  the  issues  involved  in  determining  the  periodic 
behavior  of  a  data-dependent  circuit.  Using  cumulative  state  graphs  and 
indexed  events,  we  have  developed  an  abstraction  for  studying  the  states 
in  the  execution  of  an  asynchronous  circuit.  With  this  abstraction,  we  are 
able  to  establish  some  important  properties  (Theorem  5.1  and  Theorem  5.2) 
concerning  the  periodic  behavior  of  such  a  circuit.  Subsequently,  we  have 
presented  a  simple  algorithm,  index-priority  simulation,  for  finding  all  min¬ 
imal  periods  in  the  state  graph  of  an  asynchronous  circuit.  We  have  also 
shown  that  the  computation  performed  by  the  algorithm  can  be  further  re¬ 
duced  if  the  graph  is  known  to  be  uniform;  therefore,  sufficient  criteria  for 
uniform  graphs  have  been  given. 

The  representation  of  an  asynchronous  circuit,  once  its  minimal  periods 
have  been  determined,  as  an  XER-system  is  the  topic  of  Chapter  7.  There,  we 
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have  argued  that  our  definition  of  the  cause  sets  of  an  event  corresponds  to  the 
assumption  on  delay-insensitivity.  Then,  we  have  presented  an  algorithm  to 
systematically  extract  the  causality  relationships  from  the  circuit  and  model 
them  in  an  XER-system.  A  distinction  is  made  between  circuits  that  have 
only  stable  disjuncts  and  those  that  do  not  since  the  computation  required 
for  the  former  is  much  less  than  that  for  the  latter. 

To  summarize,  index-priority  simulation  is  used  to  model  a  circuit  as 
an  XER-system,  whose  period  can  be  analytically  computed  and  accurately 
indicates  the  speed  of  the  circuit.  Thus,  we  have  developed  a  systematic  ap¬ 
proach  to  evaluating  and  optimizing  the  performance  of  asynchronous  VLSI 
circuits,  even  those  that  are  data-dependent  and  inherently  disjunctive.  The 
approach  is  efficient  for  many  practical  circuits  and,  we  believe,  serves  as 
a  good  framework  for  future  work  in  this  area.  Furthermore,  many  of  the 
results  can  be  applied  to  other  concurrent  systems.  In  particular,  index- 
priority  simulation  is  a  simple  and  efficient  way  for  finding  minimal  cycles  in 
the  state  graphs  of  these  systems. 


8.2  Future  Work 

In  this  section,  we  list  some  possible  areas  of  further  research.  First,  we  are 
currently  investigating  how  the  results  of  this  thesis  can  be  applied  to  the 
analysis  of  other  metrics  of  a  circuit,  such  as  energy,  latency,  power-delay 
product,  etc.  Moreover,  besides  transistor  sizing,  we  plan  to  incorporate 
other  methods  of  speeding  up  a  circuit  —  for  instance,  adding  inverters  to 
the  circuit  or  reordering  the  transistors  within  an  element  $ —  into  the  perfor¬ 
mance  optimization  procedure.  Also,  a  systematic  way  to  choose  “typical” 
environmental  scenarios  and  to  combine  results  from  them  would  be  very 
useful. 

In  regard  to  XER-systems,  finding  more  efficient  ways  to  compute  their 
periods  would  be  very  beneficial  when  there  are  many  transitions  that  are 
disjunctively  caused.  The  proof  of  Theorem  4.2  is  very  long  and  a  more  direct 
proof  may  be  possible.  Furthermore,  in  order  for  (4.75)  in  that  theorem  to 
hold,  we  believe  requiring  every  transition  vertex  to  be  reachable  from  a 
critical  path  in  a  critical  scenario  is  both  necessary  and  sufficient;  however, 
this  conjecture  remains  to  be  verified. 

The  conditions  derived  in  Section  6.3  are  sufficient  but  not  necessary  for  a 
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graph  to  be  uniform;  for  the  sake  of  completeness,  a  complete  characterization 
would  be  desirable.  Also,  the  bound  given  on  the  number  of  states  visited 
in  Algorithm  2  when  there  are  only  stable  disjuncts  is  empirical;  a  rigorous 
proof  would  be  more  satisfactory.  Furthermore,  it  would  be  beneficial  to 
have  a  definite  answer  to  the  complexity  involved  in  finding  the  CSCS  for  a 
transition  whose  guard  has  unstable  disjuncts. 

Finally,  though  the  definitions  of  causes  given  in  Section  7.2  are  valid  if 
the  delays  between  transitions  are  arbitrary,  it  is  possible  to  come  up  with 
alternative  definitions  that  result  in  smaller  XER-systems  if  one  makes  some 
delay  assumptions  on  the  timing  model  being  used.  Some  preliminary  work 
on  using  only  triggers,  as  defined  in  Sub-section  6.3.1,  as  causes  has  already 
been  done  and  has  shown  promising  results. 
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Appendix  A 
Algorithms 


The  following  algorithms  are  written  in  a  language  that  is  a  slight  variation 
to  Pidgin  ALGOL  of  [1].  For  clarity,  we  have  adopted  the  following  conven¬ 
tions:  names  for  storage  variables  and  types  are  in  typewriter  font,  words 
reserved  by  the  language  are  in  sans  serif  font,  procedure  names  are  in  slanted 
font,  and  theoretical  expressions  and  descriptive  proses  are  written  in  their 
standard  formats.  We  have  used  the  construct  “foreach  variable  s.t.  condition 
do  statement,”  instead  of  the  standard  for  loop,  when  the  order  in  which  the 
loop  variable  assumes  its  range  of  possible  values  is  not  important.  Also,  the 
instantiation  operator  (“such  that”)  is  denoted  by  3;  e.g.,  “i  3  i  +  5  =  6” 
returns  the  number  1.  Finally,  procedure  calls  are  by  reference  and  all  pro¬ 
gram  variables  are  assumed  to  be  global  except  when  masked  by  the  formal 
parameters  of  a  procedure  or  by  its  local  variables. 
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A.l  Algorithm  1 

Input:  A  stable  PR  set  V  with  variables  x0,  xi,  . . .,  xk-i  and  an  initial 

state 

Output:  A  non-transitory  state  S[n]  and  an  array  of  cycles  C[  ]  such  that 

if  C[i]  =  Oi  —k — >  (<jj  +  7Tj)  for  0  <  i  <  p,  then  (6.18)  and  (6.19) 
are  satisfied. 

Algorith  m  index-priority simulations 

begin 
Cycle  c; 

Array _of -Cycles  C[  ]; 

Array _of -States  S[  ]; 

Array _of -Events  A[  ]; 

Set_of -Variables  U; 

Set_of -Variables  V; 

Integer  n,  p; 

P  <-  0; 

V  «-  0; 

S[0]  G\mt- 

n  0; 

repeat 

begin 

c  find -cycle  (U ) : 

if  (c  7^  empty  -cycle)  then 
begin 

C[p]  <-  c; 

V^VUU; 
p  ^p  +  1 
end 
end 

until  (c  =  empty -cycle)] 
return  S[n]  and  C 
end 
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procedure  &id_cjcie(Set_of -Variables  U) 
begin 

Set_of -Events  E; 

State  s; 

Integer  k,  i,  m; 

E  {a  :  enb(o;,  S[n])  A  var(a)  ^  V  :  a }; 
while  (E  ^  0)  do 
begin 

k  max{/t,  A  :  A)  G  E  :  ac}; 

A[n]  <-  (xK,  A)  9  (xK,  A)  G  E  A  ac  =  k; 
s  <—  next_state(S[n],  A [n] ) ; 
if  (3i :  0  <  i  <  n  :  bool(S[zj)  =  bool(s))  then 
begin 

i  a —  i  3  bool(S[*])  =  bool(s); 

U  <-  {i:  i  <  ?  <n  :  var(A[z])}; 
m  n; 

n  <-  i; 

A[i]  A[i  +  1]  A  [ml 

return  S[i]  — a  S[i  +  1]  — a  •  •  •  — a  s 

end 

else 

begin 

n  <—  n  +  1; 

S[n]  «-  s; 

E  a—  {a  :  enb(cr,  s)  A  var(a)  ^  V  :  a} 

end 

end; 

return  empty  _cyclc 

end 
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A. 2  Algorithm  2 

Input:  A  non-separable  PR  set  V  with  set  of  events  £(V)\  a  minimal 

cycle  (T0  — ^  cti  — ^  an  in  the  state  graph  of  V  with  <t0 

a  non-transitory  state,  7r  the  period  of  the  cycle,  and  A  —  {i  : 
0  <  i  <  n  :  ctj};  the  constant  I  as  prescribed  by  Lemma  7.16; 
and  the  transition  set  E'  —  {i  :  0  <  i  <  n  :  u{ai)}  for  the 
repetitive  XER-system  X'  —  ( E ',  R' ,  <5,  9)  which  is  to  model  V. 

Output:  The  template  set  R'  and  occurrence-index  offset  function  8  for 

X'. 

Algorithm  generateXemplatesetQ 

begin 

Integer  i; 

Set_of -Templates  R; 

Set_of -(Transition , Transition , Template , Integer)  T; 

R  <-  0; 

T  0; 
i  <-  0; 

while  (i  <  n)  do 
begin 

if  (the  guard  of  tran^-jj  is  conjunctive)  then 

gen_template (wit (the  guard  of  tran(a-j_),  c>i),  a^) 
else  if  (the  guard  of  tran(aj)  has  only  stable  disjuncts)  then 
stab_disj(aj_.  a  A 
else 

unstab-disj(ai,  a-jj: 
i«-i+l 

end; 

return  R  and  T 
end 
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procedure  stab_disj(Event  a,  State  s) 
begin 
State  t; 

Disjunct  B; 


if  (the  disjuncts  in  the  guard  of  tran(a)  are  mutex)  then 
begin 

B  4—  B  3  B  is  a  disjunct  in  the  guard  of  tran(a)  A  B  is  true  in  s 
gen_tempiate(wit(B,  s),  a) 

end 


else 


begin 

t  <-  fire-only (£(V )  \  {a},  s); 

foreach  B  s.t.  B  is  a  disjunct  in  the  guard  of  tran(a)  A 

B  is  true  in  t  do 


gen_template (wit (B,  t),  a) 
end 


end 


procedure  fzre_oniy(Set_of -Events  D,  State  s) 
begin 

Set_of -Events  E; 

Event  b; 

State  t; 


t  s; 

E  {/3  :  enb(/3,  t)  A  j3  G  D  :  3}: 

while  (E  /  0)  do 
begin 

b  (3  3  (3  €  E; 
t  nextstate(t,  b); 

E  e—  {(3  :  enb(/3,  t)  A  (3  €  D  :  /3} 

end; 
return  t 
end 
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procedure  gen_template  (Set-of  _Events  Z,  Event  a) 
begin 

Integer  1,  e; 

Event  b; 

Variable  x; 

Transition  u; 

Set_of -Transitions  C; 

Set_of -(Transition ,  Integer)  F; 

C  <-  0; 

F  0; 

foreach  (x,  1)  s.t.  (x,  1)  E  Z  do 
begin 

e  <—  e  3  ((x,  1)  ®  £7r)  e  A; 
b  (x,  1)  ®  evr; 

C  «-  CU{a(b)}; 

F^-FU{Wb),e)} 

end; 

R  <-  RU  {C^-u(a)}; 

foreach  (u,  e)  s.t.  (u,  e)  €  F  do 

T  <-TU{(u,  u(a),  Ch^u(a),  e)} 

end 

procedure  unstab_disj(Event  a,  State  s) 
begin 

Set_of  _Sets_of -Events  U0,V; 

Event  aO; 

State  sO; 

sO  fire-only  (£{V )  \  {a},  s)  +  hr, 

aO  a  ©  Itt) 

UO  {B  :  B  is  a  disjunct  in  the  guard  of  tran(a)  A 

B  is  true  in  sO  :  wit(5,  sO)} 

V  <-  UO; 

unstab-disjsub(V ,  aO,  sO) 

end 
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procedure  unstab-disjsub(  Set_of  _Sets_of -Events  U,  Event  aO,  State  s) 
begin 

Set_of _Sets_of -Events  V; 

Set_of -Events  I,  W,  Y; 

State  t; 

Event  b; 

I  tindJncouiing(s): 

foreach  b  s.t.  b  e  I  do 
begin 

t  prevst ate(s,b); 

if  (enb(aO,  t))  then 
begin 

V  {B  :  B  is  a  disjunct  in  the  guard  of  tran(aO)  A 

Bj  is  true  in  t  :  wit(5j,t)}; 

U  U  \  V; 

unstab-disjsub(V ,  aO,  t) 

end 


foreach  ¥  s.t.  ¥  e  U  do 
if  (¥  e  UO)  then 

gen_template(lri ,  aO) 
else 

begin 

Y  <—  ¥; 

foreach  b  s.t.  b  e  (wit(guard  of  tran(aO),  s)  \  ¥)  do 
begin 

t  <-  &re-only(E(V )  \  {b},  s); 
if  (¥  has  occurred  in  t)  then 
Y  e-  YU  {b} 

end; 

gcn_U:inj)latc(Y .  aO) 

end 

end 
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procedure  find Jncoming  (St ate  s) 
begin 

Set_of -Events  I,E,D; 

State  p,  t; 

Event  b; 

E  <—{/?:  guard  of  tran(/3)  is  true  in  s  :  /?}; 

I  <-  {xk,  l  :  (xk.  1)  e  E  A  s [k\  =  l  A  s[k]  ±  ^init  W  :  0} 

foreach  b  s.t.  b  G  I  do 
begin 

V 

D  V  9  3(f)  ::  ((ft  -*-> s)  A  (b  G  V): 

,  j  D 

P  <-  <A  3  ^  ^*r->s; 
t  <-  fire-only (p  \  {b},  p); 

if  (-i(t  s))  then 

I  I  \  {b} 

end; 
return  I 
end 
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